Add fail2ban, modify Vaultwarden and SWAG config files

pankyada · Jan 3, 2022 · dcc99e3 · dcc99e3
1 parent 188d4c7
commit dcc99e3
Show file tree

Hide file tree

Showing 11 changed files with 106 additions and 22 deletions.
diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
@@ -320,20 +320,3 @@ snapraid_config_excludes:
 # SMART error reporting
 #
 smartd_default_mail_recipients: [ "{{ email }}" ]
-
-#
-# Secret variables (encrypt with ansible-vault)
-#
-duckdns_token: ""
-
-duckdns_domain: ""
-
-mysql_root_password: ""
-
-mysql_password: ""
-
-password: ""
-
-password2: ""
-
-email_password: ""
diff --git a/roles/containers/bitwarden/tasks/main.yml b/roles/containers/bitwarden/tasks/main.yml
@@ -15,6 +15,9 @@
       WEBSOCKET_ENABLED: "true"
       INVITATIONS_ALLOWED: "false"
       SIGNUPS_ALLOWED: "false"
+      DOMAIN: "{{ dashboard_url }}"
+      LOG_FILE: "/data/vaultwarden.log"
+      TZ: "{{ timezone }}"
     volumes:
       - "{{ docker_dir }}/{{ container_name }}:/data"
     restart_policy: unless-stopped
@@ -26,4 +29,4 @@
     connected:
       - bitwarden
     appends: yes
-  when: enable_swag
+  when: enable_swag
diff --git a/roles/containers/swag/tasks/main.yml b/roles/containers/swag/tasks/main.yml
@@ -39,10 +39,6 @@
   when: lookup('vars', 'enable_' + item.path.split('/')[-1]) | default(False)
   with_items: "{{ containers.files }}"
 
-- name: Print out
-  debug:
-    var: swag_urls
-
 - name: Create a SWAG network, add all the containers to be reverse-proxied into it
   docker_network:
     name: swag_network
@@ -101,6 +97,7 @@
       "VALIDATION": "dns"
       "DNSPLUGIN": "cloudflare"
       "EMAIL": "{{ email }}"
+      "DOCKER_MODS": "linuxserver/mods:swag-cloudflare-real-ip"
     ports:
       - "443:443"
       - "80:80"
@@ -136,3 +133,4 @@
     dest: "{{ docker_dir }}/pihole/dnmasq-unbound/05-pihole-custom-cname.conf"
   when: 
     hostvars['coda']['enable_pihole']
+
diff --git a/roles/fail2ban/files/filter.d/nextcloud.conf b/roles/fail2ban/files/filter.d/nextcloud.conf
@@ -0,0 +1,7 @@
+[Definition]
+_groupsre = (?:(?:,?\s*"\w+":(?:"[^"]+"|\w+))*)
+failregex = ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Login failed:
+            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Trusted domain error.
+            ^\{%(_groupsre)s,?\s*"remoteAddr":"<HOST>"%(_groupsre)s,?\s*"message":"Wrong username or password.
+
+datepattern = ,?\s*"time"\s*:\s*"%%Y-%%m-%%d[T ]%%H:%%M:%%S(%%z)?"
diff --git a/roles/fail2ban/files/filter.d/vaultwarden-admin.conf b/roles/fail2ban/files/filter.d/vaultwarden-admin.conf
@@ -0,0 +1,3 @@
+[Definition]
+failregex = ^.*Invalid admin token\. IP: <ADDR>.*$
+ignoreregex =
diff --git a/roles/fail2ban/files/filter.d/vaultwarden.conf b/roles/fail2ban/files/filter.d/vaultwarden.conf
@@ -0,0 +1,3 @@
+[Definition]
+failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
+ignoreregex =
diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml
@@ -0,0 +1,53 @@
+- name: Install fail2ban
+  package:
+    name: fail2ban
+    state: latest
+
+- name: Make sure the fail2ban systemd service is enabled and started
+  service:
+    name: fail2ban
+    state: started
+    enabled: yes
+
+- name: Copy custom fail2ban rules
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/fail2ban/filter.d"
+    owner: "{{ username }}"
+    group: "{{ username }}"
+  with_fileglob: 
+    - "files/filter.d/*.conf"
+  register: copied_rules
+
+- name: Create a list of rule files that were deployed
+  set_fact:
+    installed_configs: "{{ installed_configs | default([]) + [ item.dest.split('/')[-1].split('.')[0] ] }}" 
+  with_items: "{{ copied_rules.results }}"
+
+- name: Install the jail.local file
+  template:
+    src: "jail.local.j2"
+    dest: "/etc/fail2ban/jail.local"
+
+- name: Install the paths-overrides.local file
+  template:
+    src: "paths-overrides.local.j2"
+    dest: "/etc/fail2ban/paths-overrides.local"
+
+
+- name: Put the cloudflare token into the configuration file
+  lineinfile:
+    regex: "^cftoken ="
+    line: "cftoken = {{ cloudflare_firewall_token }}"
+    path: "/etc/fail2ban/action.d/cloudflare.conf"
+
+- name: Put the cloudflare email into the configuration file
+  lineinfile:
+    regex: "^cfuser ="
+    line: "cfuser = {{ email }}"
+    path: "/etc/fail2ban/action.d/cloudflare.conf"
+
+- name: Restart fail2ban
+  service:
+    name: fail2ban
+    state: restarted
diff --git a/roles/fail2ban/templates/cloudflare.local.j2 b/roles/fail2ban/templates/cloudflare.local.j2
@@ -0,0 +1,2 @@
+cftoken = {{ cloudflare_firewall_token }}
+cfuser = {{ email }}
diff --git a/roles/fail2ban/templates/jail.local.j2 b/roles/fail2ban/templates/jail.local.j2
@@ -0,0 +1,24 @@
+[DEFAULT]
+banaction = cloudflare 
+            complain
+            iptables-allports
+bantime  = -1
+findtime  = 600
+maxretry = 3
+ignoreip = 127.0.0.1/8 ::1 {{ ansible_default_ipv4.address }}/24
+action = %(action_mwl)s
+destemail = {{ email }}
+sender = {{ email }}
+
+[sshd]
+enabled = true
+port = {{ security_ssh_port }}
+filter = sshd
+
+{% for name in installed_configs %}
+[{{ name }}]
+enabled  = true
+port     = http,https
+filter   = {{ name }}
+logpath  = %({{ name }}_log)s
+{% endfor %}
diff --git a/roles/fail2ban/templates/paths-overrides.local.j2 b/roles/fail2ban/templates/paths-overrides.local.j2
@@ -0,0 +1,4 @@
+[DEFAULT]
+nextcloud_log = {{ docker_dir }}/nextcloud/data/nextcloud.log
+vaultwarden_log = {{ docker_dir }}/vaultwarden/vaultwarden.log
+vaultwarden-admin_log = {{ docker_dir }}/vaultwarden/vaultwarden.log
diff --git a/run.yml b/run.yml
@@ -90,6 +90,10 @@
       tags: 
         - essential
 
+    - role: fail2ban
+      tags:
+      - fail2ban
+
     - role: filesystems/mergerfs
       tags:
       - mergerfs
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		cftoken = {{ cloudflare_firewall_token }}
		cfuser = {{ email }}