diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml index 92bbc103..52a15e91 100644 --- a/group_vars/all/vars.yml +++ b/group_vars/all/vars.yml @@ -190,7 +190,6 @@ enable_pihole: true enable_watchtower: true enable_endlessh: false - # # Time Machine # @@ -335,6 +334,15 @@ snapraid_config_excludes: # SMART error reporting # smartd_default_mail_recipients: [ "{{ email }}" ] + +# +# CrowdSec +# +crowdsec_whitelist: + enabled: false + +enable_crowdsec: false + ### BEGIN Secret variables (encrypt and put into vault.yml) cloudflare_dns_token: '' cloudflare_firewall_token: '' diff --git a/requirements.yml b/requirements.yml index e3d08b54..de67d040 100644 --- a/requirements.yml +++ b/requirements.yml @@ -8,3 +8,4 @@ roles: - name: oefenweb.dns - name: notthebee.ubuntu_autoinstall - name: ironicbadger.ansible_role_snapraid + - name: veselahouba.crowdsec diff --git a/roles/network/swag/tasks/docker.yml b/roles/network/swag/tasks/docker.yml index 190da07b..8c72c55e 100644 --- a/roles/network/swag/tasks/docker.yml +++ b/roles/network/swag/tasks/docker.yml @@ -1,15 +1,4 @@ --- -- name: Create a macvlan network (Ansible's docker_network can't do macvlan) - shell: - cmd: "docker network create -d macvlan \ - --subnet={{ lan_network }} \ - --gateway={{ ansible_default_ipv4.gateway }} \ - -o parent=enp2s0 swag_macvlan || /bin/true" - ignore_errors: yes - register: result - failed_when: "'FAILED' in result.stderr and 'already exists' not in result.stderr" - changed_when: "'already exists' not in result.stderr" - - name: Make sure the swag_internal container is created and running docker_container: name: "swag_internal" diff --git a/roles/network/swag/tasks/main.yml b/roles/network/swag/tasks/main.yml index 28a1962f..fb146a13 100644 --- a/roles/network/swag/tasks/main.yml +++ b/roles/network/swag/tasks/main.yml @@ -2,4 +2,5 @@ - include_tasks: list_services.yml - include_tasks: install_configs.yml - include_tasks: cloudflare_real_ips.yml +- include_tasks: networks.yml - include_tasks: docker.yml \ No newline at end of file diff --git a/roles/network/swag/tasks/networks.yml b/roles/network/swag/tasks/networks.yml new file mode 100644 index 00000000..92f559e5 --- /dev/null +++ b/roles/network/swag/tasks/networks.yml @@ -0,0 +1,17 @@ +- name: Create an internal macvlan network + docker_network: + name: swag_macvlan + driver: macvlan + driver_options: + parent: enp2s0 + ipam_config: + - subnet: "{{ lan_network }}" + gateway: "{{ ansible_default_ipv4.gateway }}" + +- name: Create an internal network + docker_network: + name: swag_internal_network + +- name: Create a public network + docker_network: + name: swag_network \ No newline at end of file diff --git a/roles/security/endlessh/handlers/main.yml b/roles/security/endlessh/handlers/main.yml index 464f0ef2..efcf5b0e 100644 --- a/roles/security/endlessh/handlers/main.yml +++ b/roles/security/endlessh/handlers/main.yml @@ -1,4 +1,5 @@ - name: restart endlessh - service: + systemd: name: endlessh + daemon_reload: true state: restarted \ No newline at end of file diff --git a/roles/security/endlessh/tasks/main.yml b/roles/security/endlessh/tasks/main.yml index 37a9429d..afd11b60 100644 --- a/roles/security/endlessh/tasks/main.yml +++ b/roles/security/endlessh/tasks/main.yml @@ -13,24 +13,32 @@ - name: Add the net_bind_capability to the executable (for running on port 22) shell: cmd: "setcap 'cap_net_bind_service=+ep' $(which endlessh)" + notify: + - restart endlessh - name: Add the net_bind_capability to the systemd service (for running on port 22) lineinfile: regexp: "^#AmbientCapabilities.*$" line: "AmbientCapabilities=CAP_NET_BIND_SERVICE" path: "/usr/lib/systemd/system/endlessh.service" + notify: + - restart endlessh - name: Comment 'PrivateUsers' (for running on port 22) lineinfile: regexp: "^PrivateUsers=true$" line: "#PrivateUsers=true" path: "/usr/lib/systemd/system/endlessh.service" + notify: + - restart endlessh - name: Add log output lineinfile: regexp: "^StandardOutput.*$" line: "StandardOutput=file:/var/log/endlessh" path: "/usr/lib/systemd/system/endlessh.service" + notify: + - restart endlessh - name: Start and enable endlessh service: diff --git a/roles/security/fail2ban/templates/jail.local.j2 b/roles/security/fail2ban/templates/jail.local.j2 index 85d3678a..547e09fd 100644 --- a/roles/security/fail2ban/templates/jail.local.j2 +++ b/roles/security/fail2ban/templates/jail.local.j2 @@ -14,10 +14,15 @@ enabled = true port = {{ security_ssh_port }} filter = sshd -{% if enable_nextcloud %} -[nextcloud] +{% for name in installed_configs %} +[{{ name }}] enabled = true port = http,https,{{ security_ssh_port }} +{% if 'endlessh' in name %} +action = %(action_)s +maxretry = 0 +{% endif %} filter = {{ name }} logpath = %({{ name }}_log)s -{% endif %} \ No newline at end of file + +{% endfor %} \ No newline at end of file diff --git a/run.yml b/run.yml index c3522b79..0f5670b1 100644 --- a/run.yml +++ b/run.yml @@ -25,15 +25,6 @@ tags: - docker - - role: security/fail2ban - tags: - - fail2ban - - - role: security/endlessh - tags: - - endlessh - when: enable_endlessh | default(False) - - role: chriswayg.msmtp-mailer tags: - msmtp @@ -46,6 +37,22 @@ tags: - ntp + + # Security + - role: security/fail2ban + tags: + - fail2ban + + - role: ../ansible-role-crowdsec + tags: + - crowdsec + when: enable_crowdsec + + - role: security/endlessh + tags: + - endlessh + when: enable_endlessh | default(False) + - role: geerlingguy.security tags: - security @@ -53,6 +60,14 @@ # # Network # + - role: network/swag + become: no + tags: + - swag + - containers + when: enable_swag | default(False) + + - role: network/wireguard become: no tags: @@ -103,6 +118,7 @@ # # Filesystems # + - role: filesystems/mergerfs become: yes tags: @@ -132,7 +148,6 @@ tags: - snapraid when: enable_nas_stuff | default(False) - # # Homer # @@ -275,4 +290,4 @@ become: yes tags: - samba - when: enable_nas_stuff | default(False) \ No newline at end of file + when: enable_nas_stuff | default(False)