alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

Remove Debian 10 support

Browse Source
This commit is contained in:
Alan Orth
2022-09-11 09:21:08 +03:00
parent 399585f4e7
commit 34be0013b7
17 changed files with 28 additions and 12631 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10006
roles/common/files/abusers-ipv4.xml
View File

File diff suppressed because it is too large Load Diff

6
roles/common/files/abusers-ipv6.xml
View File

@ -1,6 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:ip">
<option name="family" value="inet6" />
<short>abusers-ipv6</short>
<description>A list of abusive IPv6 addresses.</description>
</ipset>

6
roles/common/files/spamhaus-ipv4.xml
View File

@ -1,6 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
<option name="family" value="inet" />
<short>spamhaus-ipv4</short>
<description>Spamhaus DROP and EDROP lists placeholder (IPv4).</description>
</ipset>

6
roles/common/files/spamhaus-ipv6.xml
View File

@ -1,6 +0,0 @@
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:net">
<option name="family" value="inet6" />
<short>spamhaus-ipv6</short>
<description>Spamhaus DROP list placeholder (IPv6).</description>
</ipset>

3
roles/common/handlers/main.yml
View File

@ -7,9 +7,6 @@
- name: reload sysctl
command: sysctl -p /etc/sysctl.conf
- name: restart firewalld
ansible.builtin.systemd: name=firewalld state=restarted
- name: reload systemd
ansible.builtin.systemd: daemon_reload=true

30
roles/common/tasks/fail2ban.yml
View File

@ -1,27 +1,45 @@
---
- name: Configure fail2ban sshd filter
ansible.builtin.template: src=etc/fail2ban/jail.d/sshd.local.j2 dest=/etc/fail2ban/jail.d/sshd.local owner=root mode=0644
ansible.builtin.template:
src: etc/fail2ban/jail.d/sshd.local.j2
dest: /etc/fail2ban/jail.d/sshd.local
owner: root
mode: 0644
notify: restart fail2ban
- name: Configure fail2ban nginx filter
when:
- extra_fail2ban_filters is defined
- "'nginx' in extra_fail2ban_filters"
ansible.builtin.template: src=etc/fail2ban/jail.d/nginx.local.j2 dest=/etc/fail2ban/jail.d/nginx.local owner=root mode=0644
ansible.builtin.template:
src: etc/fail2ban/jail.d/nginx.local.j2
dest: /etc/fail2ban/jail.d/nginx.local
owner: root
mode: 0644
notify: restart fail2ban
- name: Create fail2ban service override directory
ansible.builtin.file: path=/etc/systemd/system/fail2ban.service.d state=directory owner=root mode=0755
ansible.builtin.file:
path: /etc/systemd/system/fail2ban.service.d
state: directory
owner: root
mode: 0755
# See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
- name: Configure fail2ban service override
ansible.builtin.template: src=etc/systemd/system/fail2ban.service.d/override.conf.j2 dest=/etc/systemd/system/fail2ban.service.d/override.conf owner=root mode=0644
ansible.builtin.template:
src: etc/systemd/system/fail2ban.service.d/override.conf.j2
dest: /etc/systemd/system/fail2ban.service.d/override.conf
owner: root
mode: 0644
notify:
- reload systemd
- restart fail2ban
- name: Start and enable fail2ban service
ansible.builtin.systemd: name=fail2ban state=started enabled=true
ansible.builtin.systemd:
name: fail2ban
state: started
enabled: true
# vim: set sw=2 ts=2:

78
roles/common/tasks/firewall_Debian.yml
View File

@ -1,17 +1,7 @@
---
# Debian 10 will use firewalld with the iptables backend.
# Debian 11 will use nftables directly, with no firewalld.
- block:
- name: Set Debian firewall packages
when: ansible_distribution_major_version is version('10', '<=')
ansible.builtin.set_fact:
debian_firewall_packages:
- firewalld
- tidy
- fail2ban
- python3-systemd # for fail2ban systemd backend
- name: Set Debian firewall packages
when: ansible_distribution_major_version is version('11', '>=')
ansible.builtin.set_fact:
@ -53,64 +43,6 @@
- restart nftables
- restart fail2ban
- name: Use iptables backend in firewalld
when: ansible_distribution_major_version is version('10', '==')
ansible.builtin.lineinfile:
dest: /etc/firewalld/firewalld.conf
regexp: '^FirewallBackend=nftables$'
line: 'FirewallBackend=iptables'
notify:
- restart firewalld
- restart fail2ban
# firewalld seems to have an issue with iptables 1.8.2 when using the nftables
# backend. Using individual calls seems to work around it.
# See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722
- name: Use individual iptables calls
when: ansible_distribution_major_version is version('10', '==')
ansible.builtin.lineinfile:
dest: /etc/firewalld/firewalld.conf
regexp: '^IndividualCalls=no$'
line: 'IndividualCalls=yes'
notify:
- restart firewalld
- restart fail2ban
- name: Copy firewalld public zone file
when: ansible_distribution_major_version is version('10', '<=')
ansible.builtin.template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
- name: Format public.xml firewalld zone file
when: ansible_distribution_major_version is version('10', '<=')
command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
notify:
- restart firewalld
- restart fail2ban
- name: Copy firewalld ipsets of abusive IPs
when: ansible_distribution_major_version is version('10', '<=')
ansible.builtin.copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
loop:
- abusers-ipv4.xml
- abusers-ipv6.xml
- spamhaus-ipv4.xml
- spamhaus-ipv6.xml
notify:
- restart firewalld
- restart fail2ban
- name: Copy Spamhaus firewalld update script
when: ansible_distribution_version is version('10', '<=')
ansible.builtin.copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
- name: Copy Spamhaus firewalld systemd units
when: ansible_distribution_version is version('10', '<=')
ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
loop:
- update-spamhaus-lists.service
- update-spamhaus-lists.timer
register: spamhaus_firewalld_systemd_units
- name: Copy Spamhaus nftables update scripts
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
@ -132,15 +64,7 @@
# need to reload to pick up service/timer/environment changes
- name: Reload systemd daemon
ansible.builtin.systemd: daemon_reload=true
when: spamhaus_firewalld_systemd_units is changed or
nftables_systemd_units is changed
- name: Start and enable Spamhaus firewalld update timer
when: ansible_distribution_version is version('10', '<=')
ansible.builtin.systemd: name=update-spamhaus-lists.timer state=started enabled=true
notify:
- restart firewalld
- restart fail2ban
when: nftables_systemd_units is changed
- name: Start and enable nftables update timers
when: ansible_distribution_version is version('11', '>=')

5
roles/common/templates/etc/fail2ban/jail.d/nginx.local.j2
View File

@ -2,13 +2,8 @@
enabled = true
# See: /etc/fail2ban/filter.d/nginx-botsearch.conf
filter = nginx-botsearch
{% if (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '>=')) %}
# Integrate with nftables
banaction=nftables[type=allports]
{% else %}
# Integrate with firewalld and ipsets
banaction = firewallcmd-ipset
{% endif %}
backend = pyinotify
logpath = /var/log/nginx/*-access.log
# Try to find a non-existent wp-login.php once and get banned. Tough luck.

5
roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2
View File

@ -2,13 +2,8 @@
enabled = true
# See: /etc/fail2ban/filter.d/sshd.conf
filter = sshd
{% if (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '>=')) %}
# Integrate with nftables
banaction=nftables[type=allports]
{% else %}
# Integrate with firewalld and ipsets
banaction = firewallcmd-ipset
{% endif %}
backend = systemd
maxretry = {{ fail2ban_maxretry }}
findtime = {{ fail2ban_findtime }}

81
roles/common/templates/public.xml.j2
View File

@ -1,81 +0,0 @@
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<interface name="{{ ansible_default_ipv4.interface }}"/>
{# ssh rules #}
<rule family="ipv4">
<source address="0.0.0.0/0"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
{# ipv6 ssh rules #}
<rule family="ipv6">
<source address="::/0"/>
<port protocol="tcp" port="22"/>
<accept/>
</rule>
{# web rules #}
<rule family="ipv4">
<source address="0.0.0.0/0"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
{# ipv6 web rules #}
<rule family="ipv6">
<source address="::/0"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
{# munin rules #}
{% if munin_master_host is defined %}
<rule family="ipv4">
<source address="{{ ghetto_ipsets[munin_master_host].src }}"/>
<port protocol="tcp" port="{{ munin_node_port }}"/>
<accept/>
</rule>
{% endif %}
{# extra rules #}
{% if extra_iptables_rules is defined %}
{% for rule in extra_iptables_rules %}
<rule family="ipv4">
<source address="{{ ghetto_ipsets[rule.acl].src }}"/>
<port protocol="{{ rule.protocol }}" port="{{ rule.port }}"/>
<accept/>
</rule>
{# ipv6 extra rules #}
{% if ghetto_ipsets[rule.acl].ipv6src is defined %}
<rule family="ipv6">
<source address="{{ ghetto_ipsets[rule.acl].ipv6src }}"/>
<port protocol="{{ rule.protocol }}" port="{{ rule.port }}"/>
<accept/>
</rule>
{% endif %}
{% endfor %}
{% endif %}
<rule>
<source ipset="abusers-ipv4"/>
<drop/>
</rule>
<rule>
<source ipset="abusers-ipv6"/>
<drop/>
</rule>
<rule>
<source ipset="spamhaus-ipv4"/>
<drop/>
</rule>
<rule>
<source ipset="spamhaus-ipv6"/>
<drop/>
</rule>
</zone>