infra-ansible
ansible script to ship alpine/ssh/wireguard
git clone https://9o.is/git/infra-ansible.git
commit a26c13225a64c45287d11e32fcb6bcdd2f87ee90 parent 4a671791716af395d21797a29c0209d1d447aa53 Author: Jul <jul@9o.is> Date: Mon, 13 May 2024 21:11:08 +0800 remove fwknop Diffstat:
| M | host/group_vars/all | | | 22 | ---------------------- |
| D | host/roles/fwknop/handlers/main.yml | | | 6 | ------ |
| D | host/roles/fwknop/tasks/main.yml | | | 73 | ------------------------------------------------------------------------- |
| D | host/roles/fwknop/templates/access.conf.j2 | | | 5 | ----- |
| D | host/roles/fwknop/templates/fwknopd.conf.j2 | | | 2 | -- |
| M | host/roles/iptables/templates/iptables-custom-rules.j2 | | | 5 | ++--- |
| M | host/site.yml | | | 9 | +-------- |
7 files changed, 3 insertions(+), 119 deletions(-)
diff --git a/host/group_vars/all b/host/group_vars/all @@ -1,25 +1,3 @@ openssh_port: 57123 -net_interface: ens3 k0s_version: v1.30.0+k0s.0 -fwknop_key_base64: !vault | - $ANSIBLE_VAULT;1.2;AES256;infra - 63353038626564633130373566323565333736653161393934613932346531323734653264336537 - 3734636137613731613735613534643365383835366334390a633531623934393835646162326233 - 65623866633835373165623866613262393635646538643465346430303763316263303636333436 - 6233653662643762620a383732646638326365646331306330353236353733376130636538633166 - 33396565303838363533303964653439383064333863636165366464386164663336666338383539 - 3636376331623934346535633662636337366363373666636535 - -fwknop_hmac_key_base64: !vault | - $ANSIBLE_VAULT;1.2;AES256;infra - 62333135323163623263633837353436623136636166326432353333656337323732363166343739 - 3662636130633731386230306437366530386131383331330a643139396634396437666137396535 - 39633261616636323338356233376431613339393561353533646239356235613061383637633362 - 6532376139363962360a323936343830613936666637613936343665393830366130356464623333 - 64333336666134336438373464366561653832343134323536633363396231393561633263396562 - 36613436663165316235373939383963663339326333663938356266633536343435643633373537 - 64396237356565333339626333393238666134646565356536363832646635306666326266616636 - 63616133616232373836663235393263376663303132623366393163386463323430336363373738 - 3866 - diff --git a/host/roles/fwknop/handlers/main.yml b/host/roles/fwknop/handlers/main.yml @@ -1,6 +0,0 @@ ---- -- name: restart fwknop-server - service: - name: fwknop-server - state: restarted - diff --git a/host/roles/fwknop/tasks/main.yml b/host/roles/fwknop/tasks/main.yml @@ -1,73 +0,0 @@ ---- -- name: install fwknop-server - package: - name: fwknop-server - state: present - -- name: enable fwknop-server - service: - name: fwknop-server - enabled: true - -- name: create fwknop etc directory - file: - path: /etc/fwknop - owner: root - group: root - state: directory - -- name: configure fwknopd - template: - src: fwknopd.conf.j2 - dest: /etc/fwknop/fwknopd.conf - owner: root - group: root - mode: '0600' - notify: restart fwknop-server - -- name: configure fwknop access - template: - src: access.conf.j2 - dest: /etc/fwknop/access.conf - owner: root - group: root - mode: '0600' - notify: restart fwknop-server - -- name: Create fwknop config directory locally - delegate_to: localhost - become: false - file: - path: ~user/.config/fwknop - owner: user - group: user - mode: '0755' - state: directory - -- name: Create fwknoprc locally - delegate_to: localhost - become: false - file: - path: ~user/.config/fwknop/fwknoprc - owner: user - group: user - mode: '0600' - state: touch - -- name: Configure fwknoprc locally - delegate_to: localhost - delegate_facts: true - become: false - blockinfile: - path: ~user/.config/fwknop/fwknoprc - marker: "### {mark} ansible managed {{ ansible_facts.hostname }}" - append_newline: true - prepend_newline: true - block: | - [{{ ansible_facts.hostname }}] - ACCESS tcp/{{ openssh_port }} - SPA_SERVER {{ ansible_facts.hostname }} - USE_HMAC Y - KEY_BASE64 {{ fwknop_key_base64 }} - HMAC_KEY_BASE64 {{ fwknop_hmac_key_base64 }} - diff --git a/host/roles/fwknop/templates/access.conf.j2 b/host/roles/fwknop/templates/access.conf.j2 @@ -1,5 +0,0 @@ -SOURCE ANY -REQUIRE_SOURCE_ADDRESS Y -OPEN_PORTS tcp/{{ openssh_port }} -KEY_BASE64 {{ fwknop_key_base64 }} -HMAC_KEY_BASE64 {{ fwknop_hmac_key_base64 }} diff --git a/host/roles/fwknop/templates/fwknopd.conf.j2 b/host/roles/fwknop/templates/fwknopd.conf.j2 @@ -1,2 +0,0 @@ -PCAP_INTF {{ net_interface }}; -PCAP_FILTER udp port 63300; diff --git a/host/roles/iptables/templates/iptables-custom-rules.j2 b/host/roles/iptables/templates/iptables-custom-rules.j2 @@ -2,7 +2,7 @@ IPT="/sbin/iptables" IP6T="/sbin/ip6tables" -PUB_IF="{{ net_interface }}" +PUB_IF="{{ static_interface }}" $IPT -F $IPT -X @@ -62,8 +62,7 @@ $IPT -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT # Allowed ports ssh -# Commented out because fwknop will open the port -# $IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port {{ openssh_port }} -m conntrack --ctstate NEW -j ACCEPT +$IPT -A INPUT -i ${PUB_IF} -p tcp --destination-port {{ openssh_port }} -m conntrack --ctstate NEW -j ACCEPT # Do not log smb/windows sharing packets - too much logging $IPT -A INPUT -i ${PUB_IF} -p tcp --dport 137:139 -j REJECT diff --git a/host/site.yml b/host/site.yml @@ -13,15 +13,8 @@ tags: init roles: - setup - - openssh - -- name: Firewall - hosts: servers - remote_user: user - tags: firewall - roles: - iptables - - fwknop + - openssh - name: Kubernetes hosts: servers