Add idlebox role

idler.yml

@@ -0,0 +1,5 @@
+---
+- hosts: idlebox
+  sudo: yes
+  roles:
+  - idlebox

inventory

@@ -12,3 +12,6 @@ luggable-gw
 
 [luggable]
 luggable
+
+[idlebox]
+lug-idler

roles/idlebox/files/0common.rules

@@ -0,0 +1,23 @@
+# Firewall configuration written by phy1729
+# Modified by maldridge 2/25/2016
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+-A INPUT -i lo -j ACCEPT
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -p icmp -j ACCEPT
+
+-A OUTPUT -o lo -j ACCEPT
+-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A OUTPUT -p icmp -j ACCEPT
+# DNS
+-A OUTPUT -p udp -d 8.8.8.8 --dport 53 -j ACCEPT
+-A OUTPUT -p tcp -d 8.8.8.8 --dport 53 -j ACCEPT
+-A OUTPUT -p udp -d 8.8.4.4 --dport 53 -j ACCEPT
+-A OUTPUT -p tcp -d 8.8.4.4 --dport 53 -j ACCEPT
+# Allow github for dotfiles and vim plugins
+-A OUTPUT -p tcp -d 192.30.252.0/22 --dport 443 -j ACCEPT
+
+COMMIT

roles/idlebox/files/hostname

@@ -0,0 +1 @@
+lug-idler

roles/idlebox/files/hosts

@@ -0,0 +1,2 @@
+127.0.0.1	localhost
+158.69.215.92	idle.utdlug.org	lug-idler

roles/idlebox/files/idle-box.rules

@@ -0,0 +1,6 @@
+*filter
+# Allow mosh in
+-A INPUT -p udp --dport 60001:60999 -j ACCEPT
+# Allow IRC, IRC SSL, jabber, HTTP, and HTTPS
+-A OUTPUT -p tcp -m multiport --destination-port 6667,6697,9003,16667,5222,80,443 -j ACCEPT
+COMMIT

roles/idlebox/files/ip6tables.conf

@@ -0,0 +1,7 @@
+*filter
+:INPUT DROP [0:0]
+:FORWARD DROP [0:0]
+:OUTPUT DROP [0:0]
+-A INPUT -i lo -j ACCEPT
+-A OUTPUT -o lo -j ACCEPT
+COMMIT

roles/idlebox/files/iptables

@@ -0,0 +1,6 @@
+#!/bin/sh
+iptables -F
+for file in /etc/iptables.d/*; do
+	iptables-restore -n < "$file"
+done
+ip6tables-restore < /etc/ip6tables.conf

roles/idlebox/files/resolv.conf

@@ -0,0 +1,3 @@
+nameserver 8.8.8.8
+nameserver 8.8.4.4
+search utdlug.org

roles/idlebox/files/ssh_banner

@@ -0,0 +1,9 @@
+Welcome!
+
+This box is provided to idle your IRC session on.
+Use of this server for other purposes may lead
+to your access being removed.
+
+For problems or software requests, contact [email protected]
+
+Enjoy!

roles/idlebox/files/sshd_config

@@ -0,0 +1,19 @@
+# See the sshd_config(5) manpage for details
+
+AddressFamily inet
+
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostKey /etc/ssh/ssh_host_rsa_key
+
+Ciphers [email protected],[email protected],aes256-ctr
+KexAlgorithms [email protected],diffie-hellman-group-exchange-sha256
+MACs [email protected],hmac-sha2-512,hmac-sha2-256,hmac-ripemd160
+
+UsePrivilegeSeparation sandbox
+Subsystem sftp /usr/lib/openssh/sftp-server
+PermitRootLogin no
+
+Banner /etc/ssh/banner
+
+PubkeyAuthentication yes
+PasswordAuthentication no

roles/idlebox/handlers/main.yml

@@ -0,0 +1,6 @@
+---
+- name: idle-iptables
+  command: /etc/network/if-up.d/iptables
+
+- name: idle-sshd
+  service: name=ssh state=restarted

roles/idlebox/tasks/main.yml

@@ -0,0 +1,60 @@
+---
+- name: Configure resolvconf
+  copy: src=resolv.conf dest=/etc/resolvconf/resolv.conf.d/base owner=root group=root mode=0644
+
+- name: Add iptables script
+  copy: src=iptables dest=/etc/network/if-up.d/iptables owner=root group=root mode=0740
+
+- name: Make iptables.d
+  file: path=/etc/iptables.d state=directory owner=root group=root mode=0740
+
+- name: Configure IPv4 firewall
+  copy: src={{ item }} dest=/etc/iptables.d/{{ item }} owner=root group=root mode=0640
+  with_items:
+    - 0common.rules
+    - idle-box.rules
+  notify:
+  - idle-iptables
+
+- name: Configure IPv6 firewall
+  copy: src=ip6tables.conf dest=/etc/ip6tables.conf owner=root group=root mode=0640
+  notify:
+  - idle-iptables
+
+- name: Configure hostname 1/2
+  copy: src=hostname dest=/etc/hostname owner=root group=root mode=0644
+
+- name: Configure hostname 2/2
+  copy: src=hosts dest=/etc/hosts owner=root group=root mode=0644
+
+- name: Configure sshd
+  copy: src=sshd_config dest=/etc/ssh/sshd_config owner=root group=root mode=0644
+  notify:
+  - idle-sshd
+
+- name: Add SSH banner
+  copy: src=ssh_banner dest=/etc/ssh/banner owner=root group=root mode=0644
+  notify:
+  - idle-sshd
+
+- name: Add weechat repository
+  apt_repository: repo=ppa:nesthib/weechat-stable update_cache=yes
+
+- name: Install idle-box packages
+  apt: pkg={{ item }} state=present update_cache=yes
+  with_items:
+  - bc
+  - git
+  - irssi
+  - mosh
+  - screen
+  - tmux
+  - zsh
+  # For SASL in irssi
+  - libcrypt-blowfish-perl
+  - libcrypt-dh-perl
+  - libcrypt-openssl-bignum-perl
+  # For jabber in weechat
+  - python-xmpp
+  - weechat-curses
+  - weechat-plugins