From 31d09c746529bd0102204b884af54e606ef216c1 Mon Sep 17 00:00:00 2001 From: Michael Aldridge Date: Fri, 26 Feb 2016 00:13:15 -0600 Subject: [PATCH] Add idlebox role --- idler.yml | 5 +++ inventory | 3 ++ roles/idlebox/files/0common.rules | 23 ++++++++++++ roles/idlebox/files/hostname | 1 + roles/idlebox/files/hosts | 2 + roles/idlebox/files/idle-box.rules | 6 +++ roles/idlebox/files/ip6tables.conf | 7 ++++ roles/idlebox/files/iptables | 6 +++ roles/idlebox/files/resolv.conf | 3 ++ roles/idlebox/files/ssh_banner | 9 +++++ roles/idlebox/files/sshd_config | 19 ++++++++++ roles/idlebox/handlers/main.yml | 6 +++ roles/idlebox/tasks/main.yml | 60 ++++++++++++++++++++++++++++++ 13 files changed, 150 insertions(+) create mode 100644 idler.yml create mode 100644 roles/idlebox/files/0common.rules create mode 100644 roles/idlebox/files/hostname create mode 100644 roles/idlebox/files/hosts create mode 100644 roles/idlebox/files/idle-box.rules create mode 100644 roles/idlebox/files/ip6tables.conf create mode 100755 roles/idlebox/files/iptables create mode 100644 roles/idlebox/files/resolv.conf create mode 100644 roles/idlebox/files/ssh_banner create mode 100644 roles/idlebox/files/sshd_config create mode 100644 roles/idlebox/handlers/main.yml create mode 100644 roles/idlebox/tasks/main.yml diff --git a/idler.yml b/idler.yml new file mode 100644 index 0000000..291c2b9 --- /dev/null +++ b/idler.yml @@ -0,0 +1,5 @@ +--- +- hosts: idlebox + sudo: yes + roles: + - idlebox diff --git a/inventory b/inventory index 73268e0..4f14b18 100644 --- a/inventory +++ b/inventory @@ -12,3 +12,6 @@ luggable-gw [luggable] luggable + +[idlebox] +lug-idler diff --git a/roles/idlebox/files/0common.rules b/roles/idlebox/files/0common.rules new file mode 100644 index 0000000..ebeff63 --- /dev/null +++ b/roles/idlebox/files/0common.rules @@ -0,0 +1,23 @@ +# Firewall configuration written by phy1729 +# Modified by maldridge 2/25/2016 +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] +-A INPUT -i lo -j ACCEPT +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -p tcp --dport 22 -j ACCEPT +-A INPUT -p icmp -j ACCEPT + +-A OUTPUT -o lo -j ACCEPT +-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A OUTPUT -p icmp -j ACCEPT +# DNS +-A OUTPUT -p udp -d 8.8.8.8 --dport 53 -j ACCEPT +-A OUTPUT -p tcp -d 8.8.8.8 --dport 53 -j ACCEPT +-A OUTPUT -p udp -d 8.8.4.4 --dport 53 -j ACCEPT +-A OUTPUT -p tcp -d 8.8.4.4 --dport 53 -j ACCEPT +# Allow github for dotfiles and vim plugins +-A OUTPUT -p tcp -d 192.30.252.0/22 --dport 443 -j ACCEPT + +COMMIT diff --git a/roles/idlebox/files/hostname b/roles/idlebox/files/hostname new file mode 100644 index 0000000..dbd1b1c --- /dev/null +++ b/roles/idlebox/files/hostname @@ -0,0 +1 @@ +lug-idler diff --git a/roles/idlebox/files/hosts b/roles/idlebox/files/hosts new file mode 100644 index 0000000..437838e --- /dev/null +++ b/roles/idlebox/files/hosts @@ -0,0 +1,2 @@ +127.0.0.1 localhost +158.69.215.92 idle.utdlug.org lug-idler diff --git a/roles/idlebox/files/idle-box.rules b/roles/idlebox/files/idle-box.rules new file mode 100644 index 0000000..da53ae0 --- /dev/null +++ b/roles/idlebox/files/idle-box.rules @@ -0,0 +1,6 @@ +*filter +# Allow mosh in +-A INPUT -p udp --dport 60001:60999 -j ACCEPT +# Allow IRC, IRC SSL, jabber, HTTP, and HTTPS +-A OUTPUT -p tcp -m multiport --destination-port 6667,6697,9003,16667,5222,80,443 -j ACCEPT +COMMIT diff --git a/roles/idlebox/files/ip6tables.conf b/roles/idlebox/files/ip6tables.conf new file mode 100644 index 0000000..03d89d4 --- /dev/null +++ b/roles/idlebox/files/ip6tables.conf @@ -0,0 +1,7 @@ +*filter +:INPUT DROP [0:0] +:FORWARD DROP [0:0] +:OUTPUT DROP [0:0] +-A INPUT -i lo -j ACCEPT +-A OUTPUT -o lo -j ACCEPT +COMMIT diff --git a/roles/idlebox/files/iptables b/roles/idlebox/files/iptables new file mode 100755 index 0000000..bb1ad23 --- /dev/null +++ b/roles/idlebox/files/iptables @@ -0,0 +1,6 @@ +#!/bin/sh +iptables -F +for file in /etc/iptables.d/*; do + iptables-restore -n < "$file" +done +ip6tables-restore < /etc/ip6tables.conf diff --git a/roles/idlebox/files/resolv.conf b/roles/idlebox/files/resolv.conf new file mode 100644 index 0000000..76953e2 --- /dev/null +++ b/roles/idlebox/files/resolv.conf @@ -0,0 +1,3 @@ +nameserver 8.8.8.8 +nameserver 8.8.4.4 +search utdlug.org diff --git a/roles/idlebox/files/ssh_banner b/roles/idlebox/files/ssh_banner new file mode 100644 index 0000000..b05edb2 --- /dev/null +++ b/roles/idlebox/files/ssh_banner @@ -0,0 +1,9 @@ +Welcome! + +This box is provided to idle your IRC session on. +Use of this server for other purposes may lead +to your access being removed. + +For problems or software requests, contact utdlug@gmail.com + +Enjoy! diff --git a/roles/idlebox/files/sshd_config b/roles/idlebox/files/sshd_config new file mode 100644 index 0000000..7a0d316 --- /dev/null +++ b/roles/idlebox/files/sshd_config @@ -0,0 +1,19 @@ +# See the sshd_config(5) manpage for details + +AddressFamily inet + +HostKey /etc/ssh/ssh_host_ed25519_key +HostKey /etc/ssh/ssh_host_rsa_key + +Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr +KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256 +MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,hmac-ripemd160 + +UsePrivilegeSeparation sandbox +Subsystem sftp /usr/lib/openssh/sftp-server +PermitRootLogin no + +Banner /etc/ssh/banner + +PubkeyAuthentication yes +PasswordAuthentication no diff --git a/roles/idlebox/handlers/main.yml b/roles/idlebox/handlers/main.yml new file mode 100644 index 0000000..c352ef8 --- /dev/null +++ b/roles/idlebox/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: idle-iptables + command: /etc/network/if-up.d/iptables + +- name: idle-sshd + service: name=ssh state=restarted diff --git a/roles/idlebox/tasks/main.yml b/roles/idlebox/tasks/main.yml new file mode 100644 index 0000000..2935292 --- /dev/null +++ b/roles/idlebox/tasks/main.yml @@ -0,0 +1,60 @@ +--- +- name: Configure resolvconf + copy: src=resolv.conf dest=/etc/resolvconf/resolv.conf.d/base owner=root group=root mode=0644 + +- name: Add iptables script + copy: src=iptables dest=/etc/network/if-up.d/iptables owner=root group=root mode=0740 + +- name: Make iptables.d + file: path=/etc/iptables.d state=directory owner=root group=root mode=0740 + +- name: Configure IPv4 firewall + copy: src={{ item }} dest=/etc/iptables.d/{{ item }} owner=root group=root mode=0640 + with_items: + - 0common.rules + - idle-box.rules + notify: + - idle-iptables + +- name: Configure IPv6 firewall + copy: src=ip6tables.conf dest=/etc/ip6tables.conf owner=root group=root mode=0640 + notify: + - idle-iptables + +- name: Configure hostname 1/2 + copy: src=hostname dest=/etc/hostname owner=root group=root mode=0644 + +- name: Configure hostname 2/2 + copy: src=hosts dest=/etc/hosts owner=root group=root mode=0644 + +- name: Configure sshd + copy: src=sshd_config dest=/etc/ssh/sshd_config owner=root group=root mode=0644 + notify: + - idle-sshd + +- name: Add SSH banner + copy: src=ssh_banner dest=/etc/ssh/banner owner=root group=root mode=0644 + notify: + - idle-sshd + +- name: Add weechat repository + apt_repository: repo=ppa:nesthib/weechat-stable update_cache=yes + +- name: Install idle-box packages + apt: pkg={{ item }} state=present update_cache=yes + with_items: + - bc + - git + - irssi + - mosh + - screen + - tmux + - zsh + # For SASL in irssi + - libcrypt-blowfish-perl + - libcrypt-dh-perl + - libcrypt-openssl-bignum-perl + # For jabber in weechat + - python-xmpp + - weechat-curses + - weechat-plugins