Add my own crowdsec role, test with a new LAN and fix a few bugs

group_vars/all/vars.yml

@@ -11,7 +11,6 @@ hostname: "{{ inventory_hostname }}"
 
 timezone: Europe/Amsterdam
 
-dns_nameservers: [9.9.9.9, 149.112.112.112]
 
 dot_nameservers: [185.95.218.42@853#dns.digitale-gesellschaft.ch, 94.140.15.140@853#dns-unfiltered.adguard.com]
 
@@ -21,6 +20,8 @@ locale: en_US.UTF-8
 
 lan_network: "{{ '.'.join(ansible_default_ipv4.address.split('.')[0:3]) }}.0/24"
 
+dns_nameservers: ["{{ ansible_default_ipv4.gateway }}"]
+
 fish_prompt_color: blue 
 
 keyboard_layout: us
@@ -345,10 +346,7 @@ smartd_default_mail_recipients: [ "{{ email }}" ]
 #
 # CrowdSec
 #
-crowdsec_whitelist:
-  enabled: false
-
-enable_crowdsec: false
+enable_crowdsec: true
 
 ### BEGIN Secret variables (encrypt and put into vault.yml)
 cloudflare_dns_token: ''

requirements.yml

@@ -7,5 +7,4 @@ roles:
   - name: stuvusit.smartd
   - name: oefenweb.dns
   - name: notthebee.ubuntu_autoinstall
-  - name: ironicbadger.ansible_role_snapraid
-  - name: veselahouba.crowdsec
+  - name: ironicbadger.ansible_role_snapraid

roles/containers/media/deluge/tasks/main.yml

@@ -5,6 +5,7 @@
     dest: "{{ docker_dir }}/{{ container_name }}/iptable.sh"
     owner: "{{ username }}"
     group: "{{ username }}"
+    mode: 0644
 
 - name: Make sure the Deluge container is created and running
   docker_container:
@@ -27,8 +28,8 @@
       "VPN_PROV": custom
       "VPN_CLIENT": "wireguard"
       "ENABLE_PRIVOXY": "yes"
+      "NAME_SERVERS": "{{ ','.join(dns_nameservers) }}"
       "LAN_NETWORK": "172.20.0.0/16, {{ lan_network }}"
-      "NAME_SERVERS": "1.1.1.1, 1.0.0.1"
       "DELUGE_DAEMON_LOG_LEVEL": "info"
       "DELUGE_WEB_LOG_LEVEL": "info"
       "DEBUG": "true"
@@ -53,4 +54,4 @@
     connected:
       - deluge
     appends: yes
-  when: enable_swag
+  when: enable_swag

roles/containers/services/photoprism/tasks/main.yml

@@ -30,8 +30,8 @@
     state: 'started'
     shm_size: 2G
     env:
-      "UID": "{{ guid }}"
-      "GID": "{{ guid }}"
+      "PUID": "{{ guid }}"
+      "PGID": "{{ guid }}"
       "PHOTOPRISM_GID": "{{ guid }}"
       "PHOTOPRISM_UID": "{{ guid }}"
       "TZ": "{{ timezone }}"
@@ -81,4 +81,4 @@
       - "{{ container_name }}"
       - photoprism-mariadb
     appends: yes
-  when: enable_swag
+  when: enable_swag

roles/network/ikev2/tasks/main.yml

@@ -24,6 +24,7 @@
     owner: "{{ username }}"
     group: "{{ username }}"
     modification_time: preserve
+    mode: 0644
 
 - name: Make sure the {{ container_name }} container is created and running
   docker_container:
@@ -33,7 +34,7 @@
     pull: yes
     state: 'started'
     env:
-      DNS_SERVERS: "{{ ansible_default_ipv4.address }}"
+      DNS_SERVERS: "{{ ', '.join(dns_nameservers) }}"
       VPNHOST: "{{ vpn_host }}"
       EMAILADDR:  "{{ email }}"
       VPNUSERNAME:  "{{ username }}"
@@ -47,7 +48,6 @@
       - "{{ docker_dir }}/{{ container_name }}/config:/config"
       - "{{ docker_dir }}/{{ container_name }}/letsencrypt:/etc/letsencrypt"
     ports:
-      - 80:80/tcp
       - 4500:4500/udp
       - 500:500/udp
     restart_policy: unless-stopped

roles/security/crowdsec/handlers/main.yml

@@ -0,0 +1,15 @@
+- name: Restart netfilter-persistent
+  service:
+    name: netfilter-persistent
+    state: restarted
+
+- name: Restart crowdsec
+  service:
+    name: crowdsec
+    state: restarted
+
+
+- name: Restart prometheus
+  service:
+    name: prometheus
+    state: restarted

roles/security/crowdsec/tasks/crowdsec.yml

@@ -0,0 +1,63 @@
+---
+- name: Add Crowdsec GPG apt Key
+  apt_key:
+    url: https://packagecloud.io/crowdsec/crowdsec/gpgkey
+    state: present
+
+- name: Add Crowdsec Repository
+  apt_repository:
+    repo: deb https://packagecloud.io/crowdsec/crowdsec/ubuntu bionic stable
+    state: present
+
+- name: Update apt and install Crowdsec and Prometheus
+  apt: 
+    update_cache: yes 
+    name:
+      - crowdsec
+      - crowdsec-firewall-bouncer-iptables
+      - prometheus
+    state: present
+
+- name: cscli hub update
+  command:
+    cmd: cscli hub update
+  changed_when: false
+
+- name: Install the necessary collections
+  command:
+    cmd: "sudo cscli collections install crowdsecurity/{{ item }}"
+  with_items:
+    - nginx
+    - sshd
+    - linux
+    - iptables
+  register: collections_install_result
+  changed_when: "'overwrite' not in collections_install_result.stderr"
+
+- name: Enable the Prometheus endpoint
+  lineinfile:
+    path: "/etc/crowdsec/config.yaml"
+    line: "  enabled: true"
+    search_string: "enabled: false"
+    insertafter: "^prometeus:.*$"
+  notify:
+    - Restart prometheus
+    - Restart crowdsec
+
+- name: Increase ban time
+  replace:
+    path: "/etc/crowdsec/profiles.yaml"
+    regexp: 'duration: [0-9]h'
+    replace: 'duration: 999h'
+  notify:
+    - Restart crowdsec
+
+- name: Start and enable Crowdsec services
+  service:
+    name: "{{ item }}"
+    state: started
+    enabled: true
+  with_items:
+      - crowdsec
+      - crowdsec-firewall-bouncer
+      - prometheus

roles/security/crowdsec/tasks/iptables.yml

@@ -0,0 +1,22 @@
+---
+- name: Install netfilters-persistent
+  package:
+    name: netfilter-persistent
+    state: present
+
+- name: Log port scanning attempts (iptables)
+  iptables:
+    chain: INPUT
+    match: conntrack
+    ctstate: NEW
+    comment: "Log new connections"
+    jump: LOG
+
+- name: Persist the port scanning rule (iptables)
+  community.general.iptables_state:
+    ip_version: ipv4
+    table: filter
+    state: saved
+    path: /etc/iptables/rules.v4
+  notify:
+    - Restart netfilter-persistent

roles/security/crowdsec/tasks/main.yml

@@ -0,0 +1,2 @@
+- include_tasks: iptables.yml
+- include_tasks: crowdsec.yml

roles/security/endlessh/tasks/main.yml

@@ -1,7 +1,7 @@
 - name: Install endlessh
   package:
     name: endlessh
-    state: latest
+    state: present
 
 - name: Copy the config file
   copy:

run.yml

@@ -46,7 +46,7 @@
       - fail2ban
 
     # TODO: Write my own role
-    - role: ../ansible-role-crowdsec
+    - role: security/crowdsec
       tags:
       - crowdsec
       when: enable_crowdsec

tasks/list_services.yml

@@ -24,6 +24,12 @@
   with_items: "{{ containers.files }}"
   no_log: true
 
+- name: Empty the variables (In case the task is called twice)
+  set_fact:
+    web_applications: []
+    swag_urls: {}
+  when: web_applications is defined and swag_urls is defined
+
 - name: Populate the dictionary of all containers
   set_fact:
     web_applications: "{{ web_applications | default([]) + [{ 'logo': '/assets/tools/homer-icons/' + item.path.split('/')[-1] + '.png', 'name': lookup('vars', item.path.split('/')[-1])['dashboard_name'] | default(item.path.split('/')[-1] | title), 'url' : lookup('vars', item.path.split('/')[-1])['dashboard_url'] | default(''), 'endpoint': lookup('vars', item.path.split('/')[-1])['health_url'] | default(''), 'category': lookup('vars', item.path.split('/')[-1])['homer_category'] | default ('') }] }}"
@@ -34,4 +40,4 @@
   set_fact:
     swag_urls: "{{ swag_urls | default({}) | combine({ item.path.split('/')[-1] : lookup('vars', item.path.split('/')[-1])['dashboard_url'] | default('') | regex_replace('https?://|/*', '') }) }}"
   when: lookup('vars', 'enable_' + item.path.split('/')[-1]) | default(False)
-  with_items: "{{ containers.files }}"
+  with_items: "{{ containers.files }}"