Merge branch 'system'

04f34f4f · fred · 7a614647 · f704f463 · 04f34f4f · 04f34f4f
Commit 04f34f4f authored 2 years ago by fred
--- a/Makefile
+++ b/Makefile
@@ -9,6 +9,7 @@ open_all:
 	${EDITOR} .gitignore inv* Makefile README.md
 	${EDITOR} tasks/*.yml
 	${EDITOR} tasks/files/sshd_config
+	${EDITOR} tasks/templates/*.j2
 	${EDITOR} tasks/system_cfg/*.yml
 	${EDITOR} tasks/system_cfg/templates/*.j2
 	${EDITOR} tasks/user_cfg/*.yml

--- a/README.md
+++ b/README.md
@@ -18,7 +18,7 @@ Suitable for server and workstation.
 | [`become_user_cfg.yml`](tasks/become_user_cfg.yml)    |   Set `sudo` without password for `become_user` access                |
 | [`host_info.yml`](tasks/host_info.yml)                |   Return message with distribution full name & version                |
 | [`shutdown.yml`](tasks/shutdown.yml)                  |   Shutdown target in 5 min (not if host is in production group)       |
-| [`system_cfg`](tasks/system_cfg/main.yml)             |   Configure  `root` users , NTP & `{{ my_users }}` shell              |
+| [`system_cfg`](tasks/system_cfg/main.yml)             |   Configure  `root`, firewall, NTP, LDP & `{{ my_users }}` shell      |
 | [`user_cfg`](tasks/user_cfg/main.yml)                 |   Configure `{{ my_user }}`                                           |
 | [`whoami.yml`](tasks/whoami.yml)                      |   Return message with `ansible_user` & `become_user` (`sudo` method)  |


--- a/inventory.sample
+++ b/inventory.sample
@@ -17,6 +17,11 @@ localhost

 [server:vars]
 timezone="UTC"
+gateway="<GATEWAY_IP>"

 [workstation:vars]
 timezone="Europe/Paris"
+
+[all:vars]
+ldp_token="put-yours-here"
+ldp_zone="put-yours-here"
--- a/tasks/system_cfg/firewall.yml
+++ b/tasks/system_cfg/firewall.yml
+---
+- name: FIREWALL | install packages
+  ansible.builtin.apt:
+    cache_valid_time: 3600
+    force_apt_get: yes
+    pkg:
+        - fail2ban
+        - ufw
+    state: present
+    update_cache: true
+
+- name: UFW | reset before setting
+  community.general.ufw:
+    state: reset
+
+- name: UFW | deny everything IN
+  community.general.ufw:
+    direction: incoming
+    policy: deny
+
+- name: UFW | allow everything OUT
+  community.general.ufw:
+    direction: outgoing
+    policy: allow
+
+- name: UFW | limit tcp port 22 IN
+  community.general.ufw:
+    direction: in
+    log: yes
+    port: '22'
+    proto: tcp
+    rule: limit
+
+- name: UFW | allow tcp port 80 IN
+  when: inventory_hostname in groups.web
+  community.general.ufw:
+    direction: in
+    rule: allow
+    port: '80'
+    proto: tcp
+
+- name: UFW | enable & set logging
+  community.general.ufw:
+    logging: low
+    state: enabled
+
+- name: FAIL2BAN | ensure deamon is running
+  ansible.builtin.service:
+    name: fail2ban
+    state: started
+    enabled: true
+
+- name: FAIL2BAN | set local config
+  ansible.builtin.template:
+    src: templates/jail.local.j2
+    dest: /etc/fail2ban/jail.local
+
+- name: FAIL2BAN | restart service
+  ansible.builtin.service:
+    name: fail2ban
+    state: restarted
--- a/tasks/system_cfg/ldp.yml
+++ b/tasks/system_cfg/ldp.yml
+---
+- name: LDP | install packages
+  ansible.builtin.apt:
+    cache_valid_time: 3600
+    force_apt_get: yes
+    pkg:
+      - syslog-ng
+      - ca-certificates
+    state: present
+    update_cache: true
+
+- name: LDP | syslog-ng config
+  ansible.builtin.template:
+    src: templates/ldp.conf.j2
+    dest: "/etc/syslog-ng/conf.d/ldp.conf"
+    mode: 0640
+    owner: root
+    group: root
+
+- name: LDP | restart syslog-ng deamon
+  ansible.builtin.systemd:
+    state: restarted
+    daemon_reload: yes
+    name: syslog-ng
--- a/tasks/system_cfg/main.yml
+++ b/tasks/system_cfg/main.yml
@@ -6,9 +6,15 @@

  tasks:

+  - name: IMPORT_TASKS | firewall
+    ansible.builtin.import_tasks: firewall.yml
+
  - name: IMPORT_TASKS | font
    ansible.builtin.import_tasks: font.yml

+  - name: IMPORT_TASKS | ldp
+    ansible.builtin.import_tasks: ldp.yml
+
  - name: IMPORT_TASKS | ntp
    ansible.builtin.import_tasks: ntp.yml


--- a/tasks/system_cfg/templates/jail.local.j2
+++ b/tasks/system_cfg/templates/jail.local.j2
+[DEFAULT]
+banaction = ufw
+bantime   = 3600
+maxretry  = 3
+ignoreip  = 127.0.0.1 {{gateway}} {% for host in groups['all'] %}{{hostvars[host]['ansible_host']|ansible.netcommon.ipaddr('public')}} {% endfor %}
+
+
+[ssh]
+enabled  = true
+filter = sshd
+logpath = /var/log/auth.log
+findtime = 300
--- a/tasks/system_cfg/templates/ldp.conf.j2
+++ b/tasks/system_cfg/templates/ldp.conf.j2
+template ovhTemplate {
+    # Source: https://docs.ovh.com/fr/logs-data-platform/how-to-log-your-linux/
+
+    template("<${LEVEL_NUM}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} - [sdid@32473 X-OVH-TOKEN=\"{{ ldp_token }}\" pid=\"${PID}\" facility=\"${FACILITY}\" priority=\"${PRIORITY}\"] ${MSG}\n");
+    template_escape(no);
+};
+
+destination ovhPaaSLogs {
+    network("{{ ldp_zone }}.logs.ovh.com"
+        port(6514),
+        template(ovhTemplate),
+        ts_format("iso"),
+        transport("tls"),
+        tls(peer-verify("required-trusted") ca_dir("/etc/ssl/certs/")),
+        keep-alive(yes),
+        so_keepalive(yes),
+    );
+};
+
+destination localfile {
+    file("/var/log/temporaryfiletochecklogs.log");
+};
+
+log {
+     source(s_src);
+     destination(ovhPaaSLogs);
+};
+
+log {
+     source(s_src);
+     destination(localfile);
+};
--- a/tasks/templates/jail.local.j2
+++ b/tasks/templates/jail.local.j2
+[DEFAULT]
+banaction = ufw
+bantime   = 3600
+maxretry  = 3
+ignoreip  = 127.0.0.1 {{gateway}} {% for host in groups['all'] %}{{hostvars[host]['ansible_host']|ansible.netcommon.ipaddr('public')}} {% endfor %}
+
+
+[ssh]
+enabled  = true
+filter = sshd
+logpath = /var/log/auth.log
+findtime = 300
--- a/tasks/templates/ldp.conf.j2
+++ b/tasks/templates/ldp.conf.j2
+template ovhTemplate {
+    # Source: https://docs.ovh.com/fr/logs-data-platform/how-to-log-your-linux/
+
+    template("<${LEVEL_NUM}>1 ${ISODATE} ${HOST} ${PROGRAM} ${PID} - [sdid@32473 X-OVH-TOKEN=\"{{ ldp_token }}\" pid=\"${PID}\" facility=\"${FACILITY}\" priority=\"${PRIORITY}\"] ${MSG}\n");
+    template_escape(no);
+};
+
+destination ovhPaaSLogs {
+    network("{{ ldp_zone }}.logs.ovh.com"
+        port(6514),
+        template(ovhTemplate),
+        ts_format("iso"),
+        transport("tls"),
+        tls(peer-verify("required-trusted") ca_dir("/etc/ssl/certs/")),
+        keep-alive(yes),
+        so_keepalive(yes),
+    );
+};
+
+destination localfile {
+    file("/var/log/temporaryfiletochecklogs.log");
+};
+
+log {
+     source(s_src);
+     destination(ovhPaaSLogs);
+};
+
+log {
+     source(s_src);
+     destination(localfile);
+};