Remove extra TCP ports from firewall rules

Now all web hosts get TCP 80 and 443 open automatically.
roles/common: Update cache in firewall playbook
2021-07-28 14:49:50 +03:00 · 2021-07-28 14:46:58 +03:00 · 2021-07-28 14:18:41 +03:00 · 2021-07-27 22:03:23 +03:00 · 2021-07-27 22:01:57 +03:00 · 2021-07-27 21:22:32 +03:00
18 changed files with 789 additions and 177 deletions
--- a/host_vars/web19
+++ b/host_vars/web19
@@ -1,93 +1,90 @@
 $ANSIBLE_VAULT;1.1;AES256
-61656664353138633065303035666561313533626634653961653463386162663835383330353538
-3937313464323231366361353036303262316537623035640a653039616137663862313235376435
-62623932373034326334376162336237306365326531356338366638643361626461663066303161
-3736316264346666650a396436643233343365646232383333366133323334386438623464616265
-34333435626465343363363339383634633461326330616533373361623535633262303962316562
-35306533616238346164313430366633636365316365613030323231336438613832383839633931
-66323438303961636130653636313765333631393138653664643533373366333466376663386134
-35353139366462663337613232323937653231626365386539653837613830333830643564616366
-30373938326233383536353230376163393962653933663262376664626437656363346132643038
-66373037386666313266303639663735373333616230333637393133376133323234323737646462
-31323731336135616264633137303534383664333439613836333037323036633661666536636235
-34363239313938326361366634313562626339613237346131393234333132656534666232343239
-66346539626264363163313435376665313266366337646531343661323665633634633961376466
-34323637363161653035353631633865323133656334383332646233653637383838343763303231
-66376466303531336438396466626233386232616330626365386536663265316637366166336163
-64643433336263643831313737613139616236653332616462636438643362366635333739383132
-35323133363565313164396635303335626537636636633266303862396536643535343430616233
-63613332613937656230333438616632313963386462656332373730343633663062356533326435
-33613964323866643437616439353462373435343462616139393934663861653666353566666433
-37396366356634613637306362393161643332623432326633376564666130646333316265656363
-33383631616637343237633532303137613466626262616166333763313334656438656534366566
-37613762623538336161643035393532383639653639376434316539663066626563633063303635
-39333563636535343535333739353834626239303666323137356434656630343731626639646637
-64306265313036363234303965396462633630653733363263303130343536656637356135356466
-63353339353735646466643464613535323538343030653636366563643238303137313662646631
-38363233386462396166383237396533343737383836623234663965343136643339626238663931
-35343630303833396538663236363039656463643336333238656661316566353033353839646565
-65306338313366666165643962303465663438316233356661643162663237393437343332623833
-39353837316363633937396537336166333736613162363632363864356663333938313533303166
-31633862633139303639386237386535393562303836663331663234643239666662663463393230
-65333938333833613165636438666664336539323162616333623564333835353363396439353961
-64616666346336396535356635626565656233306538323333316462353837346562613663646630
-66633165653236363038396139633662323931343731343134373034636536633232323066613161
-30613836613437666161623734356539626238343935616666643439636639636563656533366266
-35313430633263623862643335393232386338353761383038303733656164356133323061666536
-33643933626664613935313039336438633539373735376434353862313264653934613637323533
-65323336373536626437313064376661373530623466323366393064623439396631393732653561
-31326262663162656661666633663264396334656636626461316231613864316466366637373666
-38636339383739646139363865366232323564333934356331353666393531666263646663366330
-61353934613934663232373031646133303331656338626534343930393831353633646361383139
-35343762336530386138633762623062353337613538306134323466386534353836616334373730
-66366361373537336664663831353265353935383963306636656561336164666131313966373431
-33366131396466613835636636353734386262666534323331343235623166356438613636383633
-35393566656263653330393930366133346566313439323462333865323330663630303838346331
-61633734623862313835306433383466663935633338616633323730666362613931666661343037
-62643731366465353337396138653630366536653261313134643831376461353634636662666537
-64373835633331356535393436616265333035616139393331363130306234323331663539666266
-61343838313930666463316138643831316134376139386233306663626562616565343662316638
-35303232346638353530386537646139656233633963303564613634356436396530353235613039
-64393734383563323337373963353834386433633666356166666136346439623666663363366661
-64333431623563656361376530373762346563343134393439346130336138396436383835316138
-35636637336162346234373837386263343035613537346666303634393730643665373734613333
-32653465616634666161313232353030633135346438376432666563356634333136386262636136
-64653735623737333833366434343337643864306339316461623139613633313730356237663930
-32316638363131623766353134656431326630636165363236633465393263383933353234336530
-31346438616434646239633661343431343633306436353561393334336533343866316237343164
-39633132363134313935663234323231663032333933376339656137376333366363663330343066
-64306431383362643935663963383238356462663964383664636436313136373162356534353165
-64306566313435663839666564643530666432343763663636306637326338376366373133616438
-32623963313164323130323839323331643138653266343064393536373538656566623965366434
-35306161393763333836623833383233613839393761643532626631646461396265653632633461
-61656137393235306162366262663762346164643964363730373536616362386365653437313461
-37353231353338336539636361386438333664393530646335633461336435626663653830356466
-36623964623635393436386361643331373864646233316463643261383431333163373430306535
-62653539396265643365623431393430383663386131376163393538343261653362663433666433
-35306634313131353532626461643930386338356561326533393363323037383133306637313339
-38376332613632363265613033393332613837333936303065623332346164333162316161383932
-36363966313331373463616236306439343364323032623865306262663663336636613936336337
-33316263653139393035306361333631303437303337613830316536633030346539653764366666
-35666535353235373431626166663366356432306439653335393832633531336266366639373762
-62383566363033663161336130363739343037313438643633636666343733313532396439303137
-39636534383638623461623832653766633865656662363334303161323532623137323434373633
-62666633316133396239363936323862616234373535386534653166653731396334633064353466
-37646464646437343263663361616163346665376661363963623536333965653062383939353362
-64373131333263316232313261646132376233333165643137643931336539353531336638303831
-63383261666261393037316437336538376530396333336339633664326365346332616335636538
-61356336666236306133323431393763653336636132343335656238356131366432626266656539
-36343262313464653733396437623339633138353163656165353363393233316632303135626635
-62643735323137376633316662343335373663643539353934623538666164363135643034613566
-37356138376463366235626232343231323935633339643234626537653931613166633337366563
-38383761356262386537373136366131323330383834326534623830616435316633393730396533
-36343732386261616461313836346131656331396438366431636361643539666264383439643661
-62626332363266393439653137653438343431633933653930383762323439636137363834623834
-36366533633363623731383161363535346632313965616539373364623835333733333766356462
-38363838636364383037633230336636363565613231326638306432393634343865356632323638
-32353931656564653361373665393065396337346435343638626265333038653730613731393230
-64316264383039353663613962643734356661313761626638363063626333633330613536353830
-38653063656363663532366632376638313339613764363931303861626132663566636234613836
-64343161646634316139616236366234666335633163613565336539386439373038366362353337
-38323133633637653537363161366231393362303161343130666261663936383866333762316631
-32313332336333626362333037613331343230646532396465653634396638303637656535306532
-31623135346332613133
+65663536313134623237366561313432326563363838633136343935646463366365623639663431
+3936643964663264616638343262306431303531306636370a636564383532343736333131393036
+37396335336638383531623437653836393830616134353637366563383064383464343637383563
+3961623466653065360a636538346465303137346566383361323664613862313331363165326336
+63383439633731653037396439346637336563346536303139383765333435633130613737393561
+61333836663431303165663265636562306462633138643665663433613838623035366133386331
+64656139623336333332666664353430323334396534663764313964656231623630653365396336
+35383239326432323263653562653466323765636264353536373439303833633934386632363063
+34373033356538343637653063393335373735613136393965326231646630643330343463343634
+37613461303564323934393739313666653138306566643039343463636532316462336239643234
+62393330326163396564393038383438376633313262613832653363613666353232616534343833
+32643661346339333664366239613437383435393061333365303935303363613031313365336631
+30303163383061383266633434323937633962396663643265336537316431623532363365373263
+66333165613666356633636562306138326363336233646634313531653765636531386338343239
+35383433366564663938363739633364393131643866383937316135646166323031653261633930
+30323234633430366361666563633432383636323638643130323164393466623062353536306465
+32613463343334323763316337636266633763613862376562393638643664643362653033303936
+39323164346465636137343239663264336463623632353633653333343566623835636331633833
+37323762303830373234643362623731336266326335353764356465386332306366303031343766
+35353263306161363530633464376534316231373262643066323233633365323962313466326432
+65656239333737393164636437633234376330386466663661626632356435653362663566396263
+65316466396636386632333438623961323938653139623265616239653564376430343363346336
+64363837303063626366373466383934646434343334383736373561393235613637653532396562
+30346238393130343462653864656365326535353864613034326630653465333935303038363663
+34663462633930613264333534616334633733663061326163313663313936326364393265333335
+31313730623937356166326263613765323163643633616534346466363965366464303464326438
+65393631636131393736353663383938663762326537643135363337316466353430616364303037
+64373837613466613032653137323564303937626339626638663666613134613036373938323432
+33663135366639363339376236363430363464663862386665643530363835336339646535363931
+36346430623934343061663463396636306531663134643363313839306461393461666334393231
+30633364313335386362303532373534616336643835313062313862636261363562396638623833
+36653932656163373832653738643864353964303736303339343738616137326234636133303334
+34653732386433343434633933373834636136646632306536313162313864313339653631346464
+32393766303963316639643730613334396562333734393063333762333862663739333964316637
+37616630383932656133313137623435626133666537313837663438663663623964386363353233
+36343138633933336633306133356136663130313963333066356665643932623362383630323566
+63363933653131303630313366373361366264663866333464623963613635323334636538376635
+66323436356331616461663235613361643732316235626136653664306138363434383532373466
+35643233333039666133626435393737383930623734336164366432363132303538313637363364
+63393738393139303264653763643263613363343738343938616636636530323362323631363633
+61336565333961636335613162383733353634346662336431396565343239326232613966373739
+31353563323763353862663161346538346139363064653761303331393036636439313632666464
+37356165346264333761346137386435323435623162393138613166613163333330613135613831
+32653130343034666464343564616138393462386637653938396163303737303161386231306265
+35306163653839313034316364653061626439353434336432323262363633623330613561323038
+66383331323631323437306536623566653966303332663535316631626262343662623730393963
+35343636396138326431393263663665633230623364643232626538633131653939623131613434
+66626439656365393733613265333438613462656563303262363937616132656464666339633336
+39323535616531666263623665326239396231383939616166613366393430636435313866323132
+66396332396265353633626332306230653736313439386635643236313664653337366635303861
+31636333336666653137343432646438353066643766383438663237646130353135333764613866
+61613035613266623464626639393534626236666161386262373634353232303230336130363037
+34366435383831313863653762616163373632636363306337353765386232306534306433656339
+66353532303637373232376134383838303736353131383464386461303839336238643463326662
+61333663323536613539313730396236666135346535633537616365313033363732643631323431
+33613037346663623539666538386339653531353432383930363235616565343262353138643833
+38653531663962316236313437616662663931646464323763333064303432656537613363383032
+33333837383332616238316165343863613864393235363537376264653961373465656333366639
+39366439316663303865656366343565343366353566363331616632363830613037366162663437
+35663661646133343263343264313430303432363566343164633762663361396462643162626137
+30373233326533313266373630356530643732343235653764636363393034363537326265363730
+33363333373633393764643032303732356464636263333039323364643337343339613762633732
+38353364313231613563326534636434376532333736613937313463636431623762353134313863
+36666638616433653139333234316638633835626634343139363861633239643430623364633336
+31363630306131376231646535323437633733666537316662663439666130343966633938356538
+31646132613161383264306139396239663638336165326238386461303961323837346435356464
+39623862636235323662356265666235613238396263396337353065396535363165613439663063
+35323361353037353263393965303334393136386138633734303632326631343035666562373565
+37313833323533326164643430333839643138386237376465643465663439383939323534303538
+61633237643637313832663338373938373935656166323432383763396236326430653666623165
+39616638383862616639316261666335666131643866663534313731326461346437323236623966
+34343735626630373265353330373738613762333264626666353936373230366133626134306634
+31633131636165663362616434653061373532666534643866613861366461316461653163633063
+61333231306363653763326264303165323461653234613337313064313035633866653762393363
+66376338336635653966636361636566353135373930643432346236336564303632303636356165
+33653038613664636362353461326164376163653634373737643762636631396461313662633361
+61356335376235376363333465616230373937663330646430663237306465653266313865353038
+66303938303734643633656561653439316365623833333438393963386565363162363731316239
+38383531613238333633306432643062313930613733343735643637303438626638333734303362
+33333566346664366536656333643235636635343639653863336266633939616563333964613963
+31336237666234616136353033663031346666383564626265303835326437353437653531616336
+62376264353839363566303130393537633565646332343966333331323538343333623766656363
+62373633366665653163653530626230313530346430363536303132623664646166316438333038
+35306334383766333264323235623866633331636433336263313334633331303662623263343162
+31663331643336623431333364633863653333393361313064616236643431633963366331323262
+63656238373433396165333239666332653839363431663164373261386664376161656534663134
+36653435333563376536396536653464346430326565653561353361323635656137616632353633
+39363036643837306431623335646230643533353334656137313666376337633832653862313830
+38306639303137633364353561386435653663326534393364313163663964366539
--- a/host_vars/web20
+++ b/host_vars/web20
@@ -1,40 +1,38 @@
 $ANSIBLE_VAULT;1.1;AES256
-61636430353563303666303437643561616133666338653866366366396630313131313437643862
-6361363036623637623463653734373166353634663666320a313533626237633165353232363330
-64306366363162376334363738383966343762633339363065356337336230373262363132306365
-6438313136313538650a323763633066616135623535383739386364633132633263363236343966
-36363033613936383261663061633032353735373334356539326663366137653534646162343238
-33663633633562343964386464613735663662346133316137396263626137643565353566333564
-65353038396631646262306361356539343532303535386330396331333832613230346665396535
-30353339653661396238336261333865616666623664663861356238626465316661616133363364
-33623137306136653666333135633136336364373763346332633536306630306463303837656330
-39613163383461373638623931333936383861616462383466656236303835326533363763333439
-33343966353136613434313330613638316366373065343663626230336136663033663862333262
-39383430363861343330313633343836343733336366316563313731343462376361646538343361
-35306331666631313566303838653737333230386436323038366639316532373739366530353464
-64396331383238623366666132376564646439386465666533656136386263393333396564343063
-62623235666561356333663763313266623034613263303265663336373531666233303234373531
-30346133363264396464333031393266316634393136343538313561396661383239383361633530
-65396636313162323839623139613164613766336438366166623739633164323537353964643437
-63333461613966643362633131313735306435663638366635333335633465633531613937396265
-66646530366165643235326230633431643332616562316662646633346336613936623434616361
-32356637353932633662323233373965633462623839643534323762303934633231303435626339
-64663761356639313535323361363161333864333435643131663963316636623239333963396432
-36376561353661383831623535383466366238346361386438653739386632633134643134643662
-35376239383736343365376565616631383633636363626434313663616336313565366239383332
-32336336326163343537343062383636656233666238633433643331363764623765613862323238
-61626630666566623266363465333830636138616639663132393333343563653138663633316364
-30663537633031663066346461343562346438646539376434353565303564356165336463326237
-39393932636431323130633035343535316436653835366233633362393839363365656665363464
-32373834613364623333383563633236343264386463366433373530313837353636376139343532
-30653431313235663036626135616139666365666539643163396666373939323437363762306339
-39613638663137663737336531333937393965373765626161393837656264303362623235323764
-37383637353765613031306536326537646338343538636163326338636137343636373335386232
-37363263376561623934313766323836353735626538346639353365656664306266303863343434
-37306435323837343830633336303562653737303134633266343238356430383466396561323938
-36653536666133663963393735323764666132343233636435336431613831336561303331363236
-31643035376165303337386331323762616361666437313531666432616439393233666631326366
-61313237393737633639353864663134393539363562376236646239616438373437623734313635
-34376161633738343164323762343665306664386430313439303935333135316561326138643532
-34623235383662386335646535616237366366303539383237666462613835633938383462646130
-363931303435656133356261366538633266
+34326537633464633537356334326565663133373634616635346466646239653334373235316234
+3766373939636238643137646430376534306331636333620a343535343563663237633034653936
+36393639633362643835653863633937663734333965363932623438306436613139346538313762
+3165303261303563380a393435316132373564663063663566623833336638393237326335333136
+34323738383266626566326439363064366563353035643833633835626533306539383532326239
+31303933386265643264376336393633613432343263346330353736323066626538363162643461
+66366335656164313865373065636433333030656534356461663730613363613531653934636663
+39636234623765386132663561613335373264326566663230653437376136303138393638363564
+66386661653736373033616365336637343835316632336631306637643166366534303762626536
+31376233626662646635376465626136653962616265346365643531363632643930653032306131
+33653133363931666135663237323133653461323038653535633138653837363030363464323464
+37663661643139343638393137636532303866623132303632353863353736323536313832373931
+37366334636139396264656538336465666463393764326639366465613662343965393339623165
+62303732316632343062313432316265356564376336633935373131333161396332346431633633
+31313238376435326662613461373931356633336538613939356166363631646538373862636139
+31376533323966663838366332613331313365643539643861626263303436316231623833626537
+34333733393935326534343038633463363964393263396531383635633437376633616461656361
+32613634643931666461363332353762623064306632303564633633373565373930326134313765
+31613130326335323363306335303662376262383738383531303937346366333137373961393066
+39663936636265386236646536666466653938663135386463346231626566303035616330643063
+30363362643637303634636165313539383039653164653166656335333763666435323762613838
+39306463643937306435376336616466376337633132326365313939363463613739663638663962
+65303533663533303862383631363432636464653437376335376131333739663164336161356630
+66323535306232333330383832356437653539393363336630303639626365613463363364353464
+65356162346430636166343636663735393838636332396261343065363862346638323132323363
+65343439383937633138303039376336333130313763326331373262343461626434633866383135
+62306163613639646137386630643631383462653738313535333863663431303437383236643435
+63643463323537633764653464366235633466663839333265663734663038366666336635363064
+30343639353665336237363530313531363866376237656333313236643035383031646134653765
+37616636613364613163343735633366303832633964633564356362643337613532396262393631
+32373464343338636231323435393163346339646263333234636432313434333334636565333737
+64363536666662656262393931646632303532373664616434316465393836336565343362616138
+63666263653231353732336365383465623236656239653136323765653132376237306163653062
+30316134623161323935383536353939393565313138333664646539663337383236336631303265
+65363164626130633131636535623965383031353735373734656166633230303965303236626134
+64633536366238336630366138323462653263653238343839393365383162366333333664646261
+3638
--- a/roles/common/files/aggregate-cidr-addresses.pl
+++ b/roles/common/files/aggregate-cidr-addresses.pl
@@ -0,0 +1,89 @@
+#!/usr/bin/perl
+#
+# aggregate-cidr-addresses - combine a list of CIDR address blocks
+# Copyright (C) 2001,2007 Mark Suter <suter@zwitterion.org>
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see L<http://www.gnu.org/licenses/>.
+#
+# [MJS 22 Oct 2001] Aggregate CIDR addresses
+# [MJS  9 Oct 2007] Overlap idea from Anthony Ledesma at theplanet dot com.
+# [MJS 16 Feb 2012] Prompted to clarify license by Alexander Talos-Zens - at at univie dot ac dot at
+# [MJS 21 Feb 2012] IPv6 fixes by Alexander Talos-Zens
+# [MJS 21 Feb 2012] Split ranges into prefixes (fixes a 10+ year old bug)
+
+use strict;
+use warnings;
+use English qw( -no_match_vars );
+use Net::IP;
+
+## Read in all the IP addresses
+my @addrs = map { Net::IP->new($_) or die "$PROGRAM_NAME: Not an IP: \"$_\"."; }
+    map { / \A \s* (.+?) \s* \Z /msix and $1; } <>;
+
+## Split any ranges into prefixes
+@addrs = map {
+    defined $_->prefixlen ? $_ : map { Net::IP->new($_) }
+        $_->find_prefixes
+} @addrs;
+
+## Sort the IP addresses
+@addrs = sort { $a->version <=> $b->version or $a->bincomp( 'lt', $b ) ? -1 : $a->bincomp( 'gt', $b ) ? 1 : 0 } @addrs;
+
+## Handle overlaps
+my $count   = 0;
+my $current = $addrs[0];
+foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
+    my $r = $current->overlaps($next);
+    if ( $current->version != $next->version or $r == $IP_NO_OVERLAP ) {
+        $current = $next;
+        $count++;
+    }
+    elsif ( $r == $IP_A_IN_B_OVERLAP ) {
+        $current = $next;
+        splice @addrs, $count, 1;
+    }
+    elsif ( $r == $IP_B_IN_A_OVERLAP or $r == $IP_IDENTICAL ) {
+        splice @addrs, $count + 1, 1;
+    }
+    else {
+        die "$PROGRAM_NAME: internal error - overlaps() returned an unexpected value!\n";
+    }
+}
+
+## Keep aggregating until we don't change anything
+my $change = 1;
+while ($change) {
+    $change = 0;
+    my @new_addrs = ();
+    $current = $addrs[0];
+    foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
+        if ( my $total = $current->aggregate($next) ) {
+            $current = $total;
+            $change  = 1;
+        }
+        else {
+            push @new_addrs, $current;
+            $current = $next;
+        }
+    }
+    push @new_addrs, $current;
+    @addrs = @new_addrs;
+}
+
+## Print out the IP addresses
+foreach (@addrs) {
+    print $_->prefix(), "\n";
+}
+
+# $Id: aggregate-cidr-addresses,v 1.9 2012/02/21 10:14:22 suter Exp suter $
--- a/roles/common/files/spamhaus-ipv4.nft
+++ b/roles/common/files/spamhaus-ipv4.nft
@@ -0,0 +1,5 @@
+#!/usr/sbin/nft -f
+
+define SPAMHAUS_IPV4 = {
+192.168.254.254/32
+}
--- a/roles/common/files/spamhaus-ipv6.nft
+++ b/roles/common/files/spamhaus-ipv6.nft
@@ -0,0 +1,5 @@
+#!/usr/sbin/nft -f
+
+define SPAMHAUS_IPV6 = {
+fd21:3523:74e0:7301::/64
+}
--- a/roles/common/files/update-spamhaus-nftables.service
+++ b/roles/common/files/update-spamhaus-nftables.service
@@ -0,0 +1,27 @@
+[Unit]
+Description=Update Spamhaus lists
+# This service will fail if nftables is not running so we use Requires to make
+# sure that nftables is started.
+Requires=nftables.service
+# Make sure the network is up and nftables is started
+After=network-online.target nftables.service
+Wants=network-online.target update-spamhaus-nftables.timer
+
+[Service]
+# https://www.ctrl.blog/entry/systemd-service-hardening.html
+# Doesn't need access to /home or /root
+ProtectHome=true
+# Possibly only works on Ubuntu 18.04+
+ProtectKernelTunables=true
+ProtectSystem=full
+# Newer systemd can use ReadWritePaths to list files, but this works everywhere
+ReadWriteDirectories=/etc/nftables
+PrivateTmp=true
+WorkingDirectory=/var/tmp
+
+SyslogIdentifier=update-spamhaus-nftables
+ExecStart=/usr/bin/flock -x update-spamhaus-nftables.lck \
+          /usr/local/bin/update-spamhaus-nftables.sh
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/common/files/update-spamhaus-nftables.sh
+++ b/roles/common/files/update-spamhaus-nftables.sh
@@ -0,0 +1,91 @@
+#!/usr/bin/env bash
+#
+# update-spamhaus-nftables.sh v0.0.1
+#
+# Download Spamhaus DROP lists and load them into nftables sets.
+# 
+# See: https://www.spamhaus.org/drop/
+#
+# Copyright (C) 2021 Alan Orth
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Exit on first error
+set -o errexit
+
+spamhaus_ipv4_set_path=/etc/nftables/spamhaus-ipv4.nft
+spamhaus_ipv6_set_path=/etc/nftables/spamhaus-ipv6.nft
+
+function download() {
+    echo "Downloading $1"
+    wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"
+}
+
+download drop.txt
+download edrop.txt
+download dropv6.txt
+
+if [[ -f "drop.txt" && -f "edrop.txt" ]]; then
+    echo "Processing IPv4 DROP lists"
+
+    spamhaus_ipv4_list_temp=$(mktemp)
+    spamhaus_ipv4_set_temp=$(mktemp)
+
+    # Extract all networks from drop.txt and edrop.txt, skipping blank lines and
+    # comments. Use aggregate-cidr-addresses.pl to merge overlapping IPv4 CIDR
+    # ranges to work around a firewalld bug.
+    #
+    # See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
+    cat drop.txt edrop.txt | sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' | aggregate-cidr-addresses.pl > "$spamhaus_ipv4_list_temp"
+
+    echo "Building spamhaus-ipv4 set"
+    cat << NFT_HEAD > "$spamhaus_ipv4_set_temp"
+#!/usr/sbin/nft -f
+
+define SPAMHAUS_IPV4 = {
+NFT_HEAD
+
+    while read -r network; do
+        # nftables doesn't mind if the last element in the set has a trailing
+        # comma so we don't need to do anything special here.
+        echo "$network," >> "$spamhaus_ipv4_set_temp"
+    done < $spamhaus_ipv4_list_temp
+
+    echo "}" >> "$spamhaus_ipv4_set_temp"
+
+    install -m 0600 "$spamhaus_ipv4_set_temp" "$spamhaus_ipv4_set_path"
+
+    rm -f "$spamhaus_ipv4_list_temp" "$spamhaus_ipv4_set_temp"
+fi
+
+if [[ -f "dropv6.txt" ]]; then
+    echo "Processing IPv6 DROP lists"
+
+    spamhaus_ipv6_list_temp=$(mktemp)
+    spamhaus_ipv6_set_temp=$(mktemp)
+
+    sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' dropv6.txt > "$spamhaus_ipv6_list_temp"
+
+    echo "Building spamhaus-ipv6 set"
+    cat << NFT_HEAD > "$spamhaus_ipv6_set_temp"
+#!/usr/sbin/nft -f
+
+define SPAMHAUS_IPV6 = {
+NFT_HEAD
+
+    while read -r network; do
+        echo "$network," >> "$spamhaus_ipv6_set_temp"
+    done < $spamhaus_ipv6_list_temp
+
+    echo "}" >> "$spamhaus_ipv6_set_temp"
+
+    install -m 0600 "$spamhaus_ipv6_set_temp" "$spamhaus_ipv6_set_path"
+
+    rm -f "$spamhaus_ipv6_list_temp" "$spamhaus_ipv6_set_temp"
+fi
+
+echo "Reloading nftables"
+# The spamhaus nftables sets are included by nftables.conf
+/usr/sbin/nft -f /etc/nftables.conf
+
+rm -v drop.txt edrop.txt dropv6.txt
--- a/roles/common/files/update-spamhaus-nftables.timer
+++ b/roles/common/files/update-spamhaus-nftables.timer
@@ -0,0 +1,12 @@
+[Unit]
+Description=Update Spamhaus lists
+
+[Timer]
+# Once a day at midnight
+OnCalendar=*-*-* 00:00:00
+# Add a random delay of 0–3600 seconds
+RandomizedDelaySec=3600
+Persistent=true
+
+[Install]
+WantedBy=timers.target
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -15,3 +15,6 @@

 - name: reload systemd
  systemd: daemon_reload=yes
+
+- name: reload nftables
+  systemd: name=nftables state=reloaded
--- a/roles/common/tasks/firewall_Debian.yml
+++ b/roles/common/tasks/firewall_Debian.yml
@@ -1,7 +1,9 @@
 ---
+# Debian 11 will use nftables directly, with no firewalld.

 - block:
  - name: Set Debian firewall packages
+    when: ansible_distribution_major_version is version('10', '<=')
    set_fact:
      debian_firewall_packages:
        - firewalld
@@ -9,12 +11,43 @@
        - fail2ban
        - python3-systemd # for fail2ban systemd backend

-  - name: Install firewalld and deps
-    when: ansible_distribution_major_version is version('9', '>=')
-    apt: pkg={{ debian_firewall_packages }} state=present
+  - name: Set Debian firewall packages
+    when: ansible_distribution_major_version is version('11', '>=')
+    set_fact:
+      debian_firewall_packages:
+        - fail2ban
+        - libnet-ip-perl # for aggregate-cidr-addresses.pl
+        - nftables
+        - python3-systemd
+
+  - name: Install firewall packages
+    apt: pkg={{ debian_firewall_packages }} state=present cache_valid_time=3600
+
+  - name: Start and enable nftables
+    when: ansible_distribution_major_version is version('11', '>=')
+    systemd: name=nftables state=started enabled=yes
+
+  - name: Copy nftables.conf
+    when: ansible_distribution_major_version is version('11', '>=')
+    template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
+    notify:
+      - reload nftables
+
+  - name: Create /etc/nftables extra config directory
+    when: ansible_distribution_major_version is version('11', '>=')
+    file: path=/etc/nftables state=directory owner=root mode=0755
+
+  - name: Copy extra nftables configuration files
+    when: ansible_distribution_major_version is version('11', '>=')
+    copy: src={{ item }} dest=/etc/nftables/{{ item }} owner=root group=root mode=0644 force=no
+    loop:
+      - spamhaus-ipv4.nft
+      - spamhaus-ipv6.nft
+    notify:
+      - reload nftables

  - name: Use iptables backend in firewalld
-    when: ansible_distribution_major_version is version('10', '>=')
+    when: ansible_distribution_major_version is version('10', '==')
    lineinfile:
      dest: /etc/firewalld/firewalld.conf
      regexp: '^FirewallBackend=nftables$'
@@ -26,7 +59,7 @@
 # backend. Using individual calls seems to work around it.
 # See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722
  - name: Use individual iptables calls
-    when: ansible_distribution_major_version is version('10', '>=')
+    when: ansible_distribution_major_version is version('10', '==')
    lineinfile:
      dest: /etc/firewalld/firewalld.conf
      regexp: '^IndividualCalls=no$'
@@ -35,24 +68,69 @@
      - restart firewalld

  - name: Copy firewalld public zone file
-    when: ansible_distribution_major_version is version('9', '>=')
+    when: ansible_distribution_major_version is version('10', '<=')
    template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600

  - name: Format public.xml firewalld zone file
-    when: ansible_distribution_major_version is version('9', '>=')
+    when: ansible_distribution_major_version is version('10', '<=')
    command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
    notify:
      - restart firewalld

-  - name: Copy ipsets of abusive IPs
-    when: ansible_distribution_major_version is version('9', '>=')
+  - name: Copy firewalld ipsets of abusive IPs
+    when: ansible_distribution_major_version is version('10', '<=')
    copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
    loop:
      - abusers-ipv4.xml
      - abusers-ipv6.xml
+      - spamhaus-ipv4.xml
+      - spamhaus-ipv6.xml
    notify:
      - restart firewalld

+  - name: Copy Spamhaus firewalld update script
+    when: ansible_distribution_version is version('10', '<=')
+    copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
+
+  - name: Copy Spamhaus firewalld systemd units
+    when: ansible_distribution_version is version('10', '<=')
+    copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
+    loop:
+        - update-spamhaus-lists.service
+        - update-spamhaus-lists.timer
+    register: spamhaus_firewalld_systemd_units
+
+  - name: Copy Spamhaus nftables update scripts
+    when: ansible_distribution_version is version('11', '>=')
+    copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
+    loop:
+      - update-spamhaus-nftables.sh
+      - aggregate-cidr-addresses.pl
+
+  - name: Copy Spamhaus nftables systemd units
+    when: ansible_distribution_version is version('11', '>=')
+    copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
+    loop:
+        - update-spamhaus-nftables.service
+        - update-spamhaus-nftables.timer
+    register: spamhaus_nftables_systemd_units
+
+  # need to reload to pick up service/timer/environment changes
+  - name: Reload systemd daemon
+    systemd: daemon_reload=yes
+    when: spamhaus_firewalld_systemd_units is changed or
+          spamhaus_nftables_systemd_units is changed
+
+  - name: Start and enable Spamhaus firewalld update timer
+    when: ansible_distribution_version is version('10', '<=')
+    systemd: name=update-spamhaus-lists.timer state=started enabled=yes
+    notify:
+      - restart firewalld
+
+  - name: Start and enable Spamhaus nftables update timer
+    when: ansible_distribution_version is version('11', '>=')
+    systemd: name=update-spamhaus-nftables.timer state=started enabled=yes
+
  - include_tasks: fail2ban.yml
    when: ansible_distribution_major_version is version('9', '>=')
  tags: firewall
--- a/roles/common/tasks/firewall_Ubuntu.yml
+++ b/roles/common/tasks/firewall_Ubuntu.yml
@@ -1,7 +1,14 @@
 ---
+# Ubuntu 20.04 will use nftables directly, with no firewalld.
+# Ubuntu 18.04 will use firewalld with the nftables backend.
+# Ubuntu 16.04 will use firewalld with the iptables backend.

 - block:
+  - include_tasks: firewall_Ubuntu_cleanup.yml
+    when: ansible_distribution_version is version('20.04', '==')
+
  - name: Set Ubuntu firewall packages
+    when: ansible_distribution_version is version('20.04', '<')
    set_fact:
      ubuntu_firewall_packages:
        - firewalld
@@ -9,47 +16,57 @@
        - fail2ban
        - python3-systemd # for fail2ban systemd backend

-  - name: Install firewalld and deps
-    when: ansible_distribution_version is version('16.04', '>=')
-    apt: pkg={{ ubuntu_firewall_packages }} state=present
+  - name: Set Ubuntu firewall packages
+    when: ansible_distribution_version is version('20.04', '>=')
+    set_fact:
+      ubuntu_firewall_packages:
+        - fail2ban
+        - libnet-ip-perl # for aggregate-cidr-addresses.pl
+        - nftables
+        - python3-systemd
+
+  - name: Install firewall packages
+    apt: pkg={{ ubuntu_firewall_packages }} state=present cache_valid_time=3600

  - name: Remove ufw
    when: ansible_distribution_version is version('16.04', '>=')
    apt: pkg=ufw state=absent

-  # I'm not sure why, but you can use firewalld with the nftables backend even
-  # if nftables itself is not installed. In that case the only way to see the
-  # currently active rules is with firewall-cmd. I prefer installing nftables
-  # so that we can have somewhat of a parallel with iptables:
-  #
-  #   nft list ruleset
-  #
-  # See: https://firewalld.org/2018/07/nftables-backend
-  - name: Install nftables
-    when: ansible_distribution_version is version('20.04', '==')
-    apt: pkg=nftables state=present
+  - name: Start and enable nftables
+    when: ansible_distribution_version is version('20.04', '>=')
+    systemd: name=nftables state=started enabled=yes

-  - name: Use nftables backend in firewalld
-    when: ansible_distribution_version is version('20.04', '==')
-    lineinfile:
-      dest: /etc/firewalld/firewalld.conf
-      regexp: '^FirewallBackend=iptables$'
-      line: 'FirewallBackend=nftables'
+  - name: Copy nftables.conf
+    when: ansible_distribution_version is version('20.04', '>=')
+    template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
    notify:
-      - restart firewalld
+      - reload nftables
+
+  - name: Create /etc/nftables extra config directory
+    when: ansible_distribution_version is version('20.04', '>=')
+    file: path=/etc/nftables state=directory owner=root mode=0755
+
+  - name: Copy extra nftables configuration files
+    when: ansible_distribution_version is version('20.04', '>=')
+    copy: src={{ item }} dest=/etc/nftables/{{ item }} owner=root group=root mode=0644 force=no
+    loop:
+      - spamhaus-ipv4.nft
+      - spamhaus-ipv6.nft
+    notify:
+      - reload nftables

  - name: Copy firewalld public zone file
-    when: ansible_distribution_version is version('16.04', '>=')
+    when: ansible_distribution_version is version('18.04', '<=')
    template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600

  - name: Format public.xml firewalld zone file
-    when: ansible_distribution_version is version('16.04', '>=')
+    when: ansible_distribution_version is version('18.04', '<=')
    command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
    notify:
      - restart firewalld

-  - name: Copy ipsets of abusive IPs
-    when: ansible_distribution_version is version('16.04', '>=')
+  - name: Copy firewalld ipsets of abusive IPs
+    when: ansible_distribution_version is version('18.04', '<=')
    copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
    loop:
      - abusers-ipv4.xml
@@ -59,30 +76,49 @@
    notify:
      - restart firewalld

-  - name: Copy Spamhaus update script
-    when: ansible_distribution_version is version('16.04', '>=')
+  - name: Copy Spamhaus firewalld update script
+    when: ansible_distribution_version is version('18.04', '<=')
    copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root

-  - name: Copy Spamhaus systemd units
-    when: ansible_distribution_version is version('16.04', '>=')
+  - name: Copy Spamhaus firewalld systemd units
+    when: ansible_distribution_version is version('18.04', '<=')
    copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
    loop:
        - update-spamhaus-lists.service
        - update-spamhaus-lists.timer
-    register: spamhaus_systemd_units
+    register: spamhaus_firewalld_systemd_units
+
+  - name: Copy Spamhaus nftables update scripts
+    when: ansible_distribution_version is version('20.04', '>=')
+    copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
+    loop:
+      - update-spamhaus-nftables.sh
+      - aggregate-cidr-addresses.pl
+
+  - name: Copy Spamhaus nftables systemd units
+    when: ansible_distribution_version is version('20.04', '>=')
+    copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
+    loop:
+        - update-spamhaus-nftables.service
+        - update-spamhaus-nftables.timer
+    register: spamhaus_nftables_systemd_units

  # need to reload to pick up service/timer/environment changes
  - name: Reload systemd daemon
    systemd: daemon_reload=yes
-    when: spamhaus_systemd_units is changed
+    when: spamhaus_firewalld_systemd_units is changed or
+          spamhaus_nftables_systemd_units is changed

-  - name: Start and enable Spamhaus update timer
-    when: ansible_distribution_version is version('16.04', '>=')
+  - name: Start and enable Spamhaus firewalld update timer
+    when: ansible_distribution_version is version('18.04', '<=')
    systemd: name=update-spamhaus-lists.timer state=started enabled=yes
-
    notify:
      - restart firewalld

+  - name: Start and enable Spamhaus nftables update timer
+    when: ansible_distribution_version is version('20.04', '>=')
+    systemd: name=update-spamhaus-nftables.timer state=started enabled=yes
+
  - include_tasks: fail2ban.yml
    when: ansible_distribution_version is version('16.04', '>=')
  tags: firewall
--- a/roles/common/tasks/firewall_Ubuntu_cleanup.yml
+++ b/roles/common/tasks/firewall_Ubuntu_cleanup.yml
@@ -0,0 +1,40 @@
+---
+# Clean up previous firewalld configuration on Ubuntu 20.04, now that we are
+# migrating to a pure nftables configuration.
+
+- name: Stop and disable firewalld
+  systemd: name=nftables state=stopped enabled=no
+
+- name: Set Ubuntu firewall packages to remove
+  set_fact:
+    ubuntu_firewall_packages:
+      - firewalld
+      - tidy
+
+- name: Remove old firewall packages
+  apt: pkg={{ ubuntu_firewall_packages }} state=absent
+
+- name: Remove old firewalld zone and ipsets
+  file: dest={{ item }} state=absent
+  loop:
+    - /etc/firewalld/zones/public.xml
+    - /etc/firewalld/ipsets/abusers-ipv4.xml
+    - /etc/firewalld/ipsets/abusers-ipv6.xml
+    - /etc/firewalld/ipsets/spamhaus-ipv4.xml
+    - /etc/firewalld/ipsets/spamhaus-ipv6.xml
+
+- name: Stop and disable old Spamhaus firewalld systemd timer
+  systemd: name=update-spamhaus-lists.timer state=stopped enabled=no
+
+- name: Remove old Spamhaus firewalld update script and systemd units
+  file: dest=/usr/local/bin/update-spamhaus-lists.sh state=absent
+  loop:
+    - /usr/local/bin/update-spamhaus-lists.sh
+    - /etc/systemd/system/update-spamhaus-lists.service
+    - /etc/systemd/system/update-spamhaus-lists.timer
+
+# need to reload to pick up service/timer/environment changes
+- name: Reload systemd daemon
+  systemd: daemon_reload=yes
+
+# vim: set sw=2 ts=2:
--- a/roles/common/tasks/packages_Debian.yml
+++ b/roles/common/tasks/packages_Debian.yml
@@ -3,6 +3,7 @@
 - block:
  - name: Configure apt mirror
    template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
+    when: ansible_architecture != 'armv7l'

  - name: Set fact for base packages
    set_fact:
--- a/roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2
+++ b/roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2
@@ -2,8 +2,13 @@
 enabled   = true
 # See: /etc/fail2ban/filter.d/sshd.conf
 filter    = sshd
+{% if (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '>=')) %}
+# Integrate with nftables
+banaction=nftables[type=allports]
+{% else %}
 # Integrate with firewalld and ipsets
 banaction = firewallcmd-ipset
+{% endif %}
 backend   = systemd
 maxretry  = {{ fail2ban_maxretry }}
 findtime  = {{ fail2ban_findtime }}
--- a/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
+++ b/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
@@ -2,14 +2,14 @@
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectHome=read-only
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %}
+{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
 ProtectSystem=strict
 {% else %}
 {# Older systemd versions don't have ProtectSystem=strict #}
 ProtectSystem=full
 {% endif %}
 NoNewPrivileges=yes
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %}
+{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
 ReadWritePaths=-/var/run/fail2ban
 ReadWritePaths=-/var/lib/fail2ban
 ReadWritePaths=-/var/log/fail2ban.log
--- a/roles/common/templates/nftables.conf.j2
+++ b/roles/common/templates/nftables.conf.j2
@@ -0,0 +1,87 @@
+#!/usr/sbin/nft -f
+#
+# Initially based on: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
+#
+
+flush ruleset
+
+# Lists updated daily by update-spamhaus-nftables.sh
+include "/etc/nftables/spamhaus-ipv4.nft"
+include "/etc/nftables/spamhaus-ipv6.nft"
+
+# Notes:
+#   - tables hold chains, chains hold rules
+#   - inet is for both ipv4 and ipv6
+table inet filter {
+    set spamhaus-ipv4 {
+        type ipv4_addr
+        # if the set contains prefixes we need to use the interval flag
+        flags interval
+        elements = $SPAMHAUS_IPV4
+    }
+
+    set spamhaus-ipv6 {
+        type ipv6_addr
+        flags interval
+        elements = $SPAMHAUS_IPV6
+    }
+
+    chain input {
+        type filter hook input priority 0;
+
+        # Allow traffic from established and related packets.
+        ct state {established, related} accept
+
+        # Drop invalid packets.
+        ct state invalid counter drop
+
+        # Drop packets matching the spamhaus sets early.
+        ip saddr @spamhaus-ipv4 counter drop
+        ip6 saddr @spamhaus-ipv6 counter drop
+
+        # Allow loopback traffic.
+        iifname lo accept
+
+        # Allow all ICMP and IGMP traffic, but enforce a rate limit
+        # to help prevent some types of flood attacks.
+        ip protocol icmp limit rate 4/second accept
+        ip6 nexthdr ipv6-icmp limit rate 4/second accept
+        ip protocol igmp limit rate 4/second accept
+
+        {# SSH rules #}
+        ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept
+        ip6 saddr ::/0 ct state new tcp dport 22 counter accept
+
+        {# Web rules #}
+        {% if 'web' in group_names %}
+        ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept
+        ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept
+        ip6 saddr ::/0 ct state new tcp dport 80 counter accept
+        ip6 saddr ::/0 ct state new tcp dport 443 counter accept
+        {% endif %}
+
+        {# Extra rules #}
+        {% if extra_iptables_rules is defined %}
+        {% for rule in extra_iptables_rules %}
+        ip saddr {{ ghetto_ipsets[rule.acl].src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
+
+        {% if ghetto_ipsets[rule.acl].ipv6src is defined %}
+        ip6 saddr {{ ghetto_ipsets[rule.acl].ipv6src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
+        {% endif %}
+
+        {% endfor %}
+        {% endif %}
+
+        # everything else
+        reject with icmpx type port-unreachable
+    }
+    chain forward {
+        type filter hook forward priority 0;
+    }
+    chain output {
+        type filter hook output priority 0;
+        # Drop outgoing packets matching the spamhaus sets too
+        ip daddr @spamhaus-ipv4 counter drop
+        ip6 daddr @spamhaus-ipv6 counter drop
+    }
+}
--- a/roles/common/templates/sources.list.j2
+++ b/roles/common/templates/sources.list.j2
@@ -9,7 +9,7 @@ deb http://security.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-securi
 {% set apt_mirror    = apt_mirror | default('deb.debian.org') %}
 deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }} main contrib non-free

-deb http://security.debian.org/debian-security {{ ansible_distribution_release }}/updates main contrib non-free
+deb http://security.debian.org/debian-security {{ ansible_distribution_release }}-security main contrib non-free

 deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }}-updates main contrib non-free

--- a/roles/common/templates/sshd_config_Debian-11.j2
+++ b/roles/common/templates/sshd_config_Debian-11.j2
@@ -0,0 +1,138 @@
+#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
+
+# This is the sshd server system-wide configuration file.  See
+# sshd_config(5) for more information.
+
+# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+
+# The strategy used for options in the default sshd_config shipped with
+# OpenSSH is to specify options with their default value where
+# possible, but leave them commented.  Uncommented options override the
+# default value.
+
+Include /etc/ssh/sshd_config.d/*.conf
+
+#Port 22
+#AddressFamily any
+#ListenAddress 0.0.0.0
+#ListenAddress ::
+
+#HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# Ciphers and keying
+#RekeyLimit default none
+
+# Logging
+#SyslogFacility AUTH
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
+LogLevel VERBOSE
+
+# Authentication:
+
+#LoginGraceTime 2m
+PermitRootLogin prohibit-password
+#StrictModes yes
+MaxAuthTries 4
+#MaxSessions 10
+
+#PubkeyAuthentication yes
+
+# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
+# but this is overridden so installations will only check .ssh/authorized_keys
+AuthorizedKeysFile	.ssh/authorized_keys
+
+#AuthorizedPrincipalsFile none
+
+#AuthorizedKeysCommand none
+#AuthorizedKeysCommandUser nobody
+
+# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
+#HostbasedAuthentication no
+# Change to yes if you don't trust ~/.ssh/known_hosts for
+# HostbasedAuthentication
+#IgnoreUserKnownHosts no
+# Don't read the user's ~/.rhosts and ~/.shosts files
+#IgnoreRhosts yes
+
+# To disable tunneled clear text passwords, change to no here!
+#PasswordAuthentication yes
+#PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+#KerberosGetAFSToken no
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+#GSSAPIStrictAcceptorCheck yes
+#GSSAPIKeyExchange no
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+#AllowAgentForwarding yes
+#AllowTcpForwarding yes
+#GatewayPorts no
+X11Forwarding no
+#X11DisplayOffset 10
+#X11UseLocalhost yes
+#PermitTTY yes
+PrintMotd no
+#PrintLastLog yes
+#TCPKeepAlive yes
+#PermitUserEnvironment no
+#Compression delayed
+#ClientAliveInterval 0
+#ClientAliveCountMax 3
+#UseDNS no
+#PidFile /var/run/sshd.pid
+#MaxStartups 10:30:100
+#PermitTunnel no
+#ChrootDirectory none
+#VersionAddendum none
+
+# no default banner path
+#Banner none
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+# override default of no subsystems
+Subsystem	sftp	/usr/lib/openssh/sftp-server
+
+# Example of overriding settings on a per-user basis
+#Match User anoncvs
+#	X11Forwarding no
+#	AllowTcpForwarding no
+#	PermitTTY no
+#	ForceCommand cvs server
+ 
+# Based on the ssh-audit profile for OpenSSH 8.4, but with but with all algos
+# with less than 256 bits removed, as NSA's Suite B removed them years ago and
+# the new (2018) CNSA suite is 256 bits and up.
+#
+# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
+# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+
+# only allow shell access by provisioning user
+AllowUsers {{ provisioning_user.name }}
Author	SHA1	Message	Date
Alan Orth	c336b217c5	Remove extra TCP ports from firewall rules Now all web hosts get TCP 80 and 443 open automatically.	2021-07-28 14:49:50 +03:00
Alan Orth	af6c3dd12a	roles/common: Update cache in firewall playbook cron-apt updates the system against the security-only databases at night so many packages are "missing" unless you run apt update. We need to update the cache on all apt tasks actually because I might be running them by their tag and they currently only get updated at the beginning of the playbook.	2021-07-28 14:46:58 +03:00
Alan Orth	b66c724109	roles/common: Use nftables on Ubuntu 20.04 as well This mostly copies the Debian 11 nftables setup and includes a play to clean up the old firewalld settings, timers, etc.	2021-07-28 14:18:41 +03:00
Alan Orth	8bc2b6f493	roles/common: Retab nftables.conf.j2	2021-07-27 22:03:23 +03:00
Alan Orth	a74d6dfc08	roles/common: Don't overwrite spamhaus nft sets The ones in this repo are only placeholders that get updated by the update-spamhaus-nftables service, so we shouldn't overwrite them if they exist.	2021-07-27 22:01:57 +03:00
Alan Orth	d3922e7878	roles/common: Port configurable firewall logic to nftables This opens TCP port 22 on all hosts, TCP ports 80 and 443 on hosts in the web group, and allows configuration of "extra" rules in the host or group vars.	2021-07-27 21:22:32 +03:00
Alan Orth	14814aa5d9	roles/common: Wire up fail2ban The nftables support works easily and creates the table, chains, and sets on demand.	2021-07-26 22:07:31 +03:00
Alan Orth	3b053167b1	roles/common: Fix sources.list for Debian 11 Bullseye Seems the path to the security updates repo changed.	2021-07-26 21:12:05 +03:00
Alan Orth	9bba0d96bb	roles/common: Add initial support for nftables on Debian 11 I will try using nftables directly instead of via firewalld as of Debian 11 as it is the replacement for the iptables/ipset stack in recent years and is easier to work with. This also includes a systemd service, timer, and script to update the spamhaus DROP lists as nftables sets. Still need to add fail2ban support.	2021-07-26 13:09:41 +03:00
Alan Orth	38c333045b	roles/common: bring Ubuntu firewall changes to Debian 11 Note that there is currently an issue loading the spamhaus rules on Debian 11 when using ipsets with firewalld and the nftables backend. The bug is apparently caused by overlapping CIDR segments, and the solution appears to be that we need to manually aggregate them with a tool like aggregate6 (Python). See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571 See: https://wiki.fysik.dtu.dk/it/Linux_firewall_configuration#using-ipsets-in-firewalld-on-rhel-centos-8 See: https://github.com/job/aggregate6	2021-07-24 23:09:33 +03:00
Alan Orth	d4ede33099	roles/common: Don't configure apt sources on ARM I was using this on Ubuntu, but might as well bring it here too so that I can run Debian on Scaleway's ARM instances, for example.	2021-07-24 22:32:20 +03:00
Alan Orth	0bad75788d	roles/common: Add encryption settings to Debian 11 sshd_config Mostly based on the ssh-audit policy for OpenSSH 8.4, but with any algorithms using less than 256 bits removed. NSA's Suite B removed these long ago, and the new CNSA suite only uses 256 and up. See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite	2021-07-24 22:28:59 +03:00
Alan Orth	892033b880	roles/common: port common settings to Debian 11 sshd_config Still need to add the encryption settings.	2021-07-22 14:16:20 +03:00
Alan Orth	7c6ab2a652	roles/common: Add sshd_config from Debian 11 RC2	2021-07-22 14:15:00 +03:00