infra-ansible

ansible script to ship alpine/ssh/wireguard

git clone https://9o.is/git/infra-ansible.git

commit 904ecbdbe70b6c69ad6b4be4cfee39187f88c66e
parent ce10fe601d88c4dda86544a5fffc96b6d51b2779
Author: Jul <jul@9o.is>
Date:   Fri, 10 May 2024 17:50:42 +0800

configure fwknop with symmetric key

Diffstat:

Ahost/contrib/vault/vault-infra.sh | 14++++++++++++++


Mhost/group_vars/all | 22++++++++++++++++++++++


Ahost/roles/fwknop/handlers/main.yml | 6++++++


Ahost/roles/fwknop/tasks/main.yml | 36++++++++++++++++++++++++++++++++++++


Ahost/roles/fwknop/templates/access.conf.j2 | 4++++


Ahost/roles/fwknop/templates/fwknopd.conf.j2 | 1+


Mhost/roles/iptables/templates/iptables-custom-rules.j2 | 5+++--


7 files changed, 86 insertions(+), 2 deletions(-)

diff --git a/host/contrib/vault/vault-infra.sh b/host/contrib/vault/vault-infra.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+#if [ "$1" != "--vault-id" ]; then
+#    echo "Flag --vault-id is required"
+#    exit 1
+#fi
+
+#if [ ! "$2" ]; then
+#    echo "Missing vault id value"
+#    exit 1
+#fi
+
+qrexec-client-vm vault vault.RequestPassword+ansible-vault-infra
+
diff --git a/host/group_vars/all b/host/group_vars/all
@@ -1,2 +1,24 @@
 openssh_port: 57123
 net_interface: ens3
+
+fwknop_key_base64: !vault |
+          $ANSIBLE_VAULT;1.2;AES256;infra
+          63353038626564633130373566323565333736653161393934613932346531323734653264336537
+          3734636137613731613735613534643365383835366334390a633531623934393835646162326233
+          65623866633835373165623866613262393635646538643465346430303763316263303636333436
+          6233653662643762620a383732646638326365646331306330353236353733376130636538633166
+          33396565303838363533303964653439383064333863636165366464386164663336666338383539
+          3636376331623934346535633662636337366363373666636535
+
+fwknop_hmac_key_base64: !vault |
+          $ANSIBLE_VAULT;1.2;AES256;infra
+          62333135323163623263633837353436623136636166326432353333656337323732363166343739
+          3662636130633731386230306437366530386131383331330a643139396634396437666137396535
+          39633261616636323338356233376431613339393561353533646239356235613061383637633362
+          6532376139363962360a323936343830613936666637613936343665393830366130356464623333
+          64333336666134336438373464366561653832343134323536633363396231393561633263396562
+          36613436663165316235373939383963663339326333663938356266633536343435643633373537
+          64396237356565333339626333393238666134646565356536363832646635306666326266616636
+          63616133616232373836663235393263376663303132623366393163386463323430336363373738
+          3866
+
diff --git a/host/roles/fwknop/handlers/main.yml b/host/roles/fwknop/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart fwknop-server
+  service:
+    name: fwknop-server
+    state: restarted
+
diff --git a/host/roles/fwknop/tasks/main.yml b/host/roles/fwknop/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+- name: install fwknop-server
+  package:
+    name: fwknop-server
+    state: present
+
+- name: enable fwknop-server
+  service:
+    name: fwknop-server
+    enabled: true
+
+- name: create fwknop etc directory
+  file:
+    path: /etc/fwknop
+    owner: root
+    group: root
+    state: directory
+
+- name: configure fwknopd
+  template:
+    src: fwknopd.conf.j2
+    dest: /etc/fwknop/fwknopd.conf
+    owner: root
+    group: root
+    mode: '0600'
+  notify: restart fwknop-server
+
+- name: configure fwknop access
+  template:
+    src: access.conf.j2
+    dest: /etc/fwknop/access.conf
+    owner: root
+    group: root
+    mode: '0600'
+  notify: restart fwknop-server
+
diff --git a/host/roles/fwknop/templates/access.conf.j2 b/host/roles/fwknop/templates/access.conf.j2
@@ -0,0 +1,4 @@
+SOURCE                  ANY
+REQUIRE_SOURCE_ADDRESS  Y
+KEY_BASE64              {{ fwknop_key_base64 }}
+HMAC_KEY_BASE64         {{ fwknop_hmac_key_base64 }}
diff --git a/host/roles/fwknop/templates/fwknopd.conf.j2 b/host/roles/fwknop/templates/fwknopd.conf.j2
@@ -0,0 +1 @@
+PCAP_INTF {{ net_interface }};
diff --git a/host/roles/iptables/templates/iptables-custom-rules.j2 b/host/roles/iptables/templates/iptables-custom-rules.j2
@@ -61,8 +61,9 @@ $IPT -A INPUT -m conntrack --ctstate INVALID -j DROP
 $IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 $IPT -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
  
-# Allow ssh 
-$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port {{ openssh_port }} -m conntrack --ctstate NEW -j ACCEPT
+# Allowed ports ssh
+# Commented out because fwknop will open the port
+# $IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port {{ openssh_port }} -m conntrack --ctstate NEW -j ACCEPT
  
 # Do not log smb/windows sharing packets - too much logging
 $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 137:139 -j REJECT