opnxng/vps-set-up-playbook
0
0
Fork 0
Code

Added and fixed some roles

Browse Source
This commit is contained in:
Opnxng 2023-11-13 11:47:39 +08:00
parent 758424800c
commit 56386d48c0
26 changed files with 331 additions and 154 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,3 +1,3 @@
vars/secrets.yml
vars/secrets.yaml
production
.hidden

6
.vscode/settings.json vendored Normal file
View File

@ -0,0 +1,6 @@
{
"launch": {
"configurations": [],
"compounds": []
}
}

4
README.md
View File

@ -34,9 +34,9 @@ sudo nano /etc/ssh/sshd_config.d/sshd.conf
## Configurations
You can modify the [packages to be installed](set-up.yml) and the [UFW rules](roles/ufw/tasks/main.yml).
You can modify the [packages to be installed](set-up.yaml) and the [UFW rules](roles/ufw/tasks/main.yaml).
Passwords and other sensitive data are kept locally as encrypted variables in [secrets.yml](vars/secrets.example.yml).
Passwords and other sensitive data are kept locally as encrypted variables in [secrets.yaml](vars/secrets.example.yaml).
## Contact
Please contact us via [email](mailto:opnxng@tuta.io) if you discover any vulnerability or area for improvement in our infrastructure. We would truly appreciate it.

0
roles/chrony/tasks/main.yml → roles/chrony/tasks/main.yaml
View File

2
roles/disable-root/tasks/main.yaml Normal file
View File

@ -0,0 +1,2 @@
- name: Lock root password
user: name=root password='!'

0
roles/docker-buildx/tasks/main.yml → roles/docker-buildx/tasks/main.yaml
View File

0
roles/docker-buildx/tasks/remove-docker-buildx.yml → roles/docker-buildx/tasks/remove-docker-buildx.yaml
View File

6
roles/docker/tasks/main.yml → roles/docker/tasks/main.yaml
View File

@ -10,7 +10,7 @@
- name: Create Docker directory
file:
path: /home/{{ user }}/Docker
path: "/home/{{ user }}/Docker"
state: directory
owner: 1000
group: 1000
@ -25,7 +25,7 @@
- name: Add user to Docker group
user:
name: {{ user }}
name: "{{ user }}"
groups: docker
append: true
@ -43,4 +43,4 @@
service:
name: docker
enabled: true
state: restarted
state: restarted

0
roles/fail2ban/tasks/main.yml → roles/fail2ban/tasks/main.yaml
View File

2
roles/hostname/tasks/main.yaml Normal file
View File

@ -0,0 +1,2 @@
- name: Set hostname
command: "hostnamectl set-hostname {{ inventory_hostname }}"

0
roles/nfs/tasks/main.yml → roles/nfs-opnxng/tasks/main.yaml
View File

0
roles/nfs/templates/exports.j2 → roles/nfs-opnxng/templates/exports.j2
View File

11
roles/sources-list/files/sources.list Normal file
View File

@ -0,0 +1,11 @@
deb http://deb.debian.org/debian bookworm main non-free-firmware
deb-src http://deb.debian.org/debian bookworm main non-free-firmware
deb http://deb.debian.org/debian-security/ bookworm-security main non-free-firmware
deb-src http://deb.debian.org/debian-security/ bookworm-security main non-free-firmware
deb http://deb.debian.org/debian bookworm-updates main non-free-firmware
deb-src http://deb.debian.org/debian bookworm-updates main non-free-firmware
deb http://deb.debian.org/debian bookworm-backports main non-free
deb-src http://deb.debian.org/debian bookworm-backports main non-free

7
roles/sources-list/tasks/main.yaml Normal file
View File

@ -0,0 +1,7 @@
- name: Set up source list
copy:
src: "sources.list"
dest: "/etc/apt/sources.list"
owner: root
group: root
mode: "0644"

0
roles/ssh/tasks/main.yml → roles/ssh/tasks/main.yaml
View File

4
roles/timezone/tasks/main.yaml Normal file
View File

@ -0,0 +1,4 @@
- name: Set timezone to Asia/Singapore
community.general.timezone:
name: "{{ TZ }}"
become: true

69
roles/ufw-opnxng/tasks/main.yaml Normal file
View File

@ -0,0 +1,69 @@
- name: Install UFW
apt:
name:
- ufw
state: latest
install_recommends: false
# ----------------------------------------------------------------------------------------------------
- name: Copy user.rules
template:
src: "user.rules.j2"
dest: "/etc/ufw/user.rules"
owner: root
group: root
mode: 0640
- name: Copy user6.rules
template:
src: "user6.rules.j2"
dest: "/etc/ufw/user6.rules"
owner: root
group: root
mode: 0640
# ----------------------------------------------------------------------------------------------------
- name: Copy user.rules (node-specific)
template:
src: "{{inventory_hostname}}.user.rules.j2"
dest: "/etc/ufw/user.rules"
owner: root
group: root
mode: 0640
ignore_errors: true
no_log: true
- name: Copy user6.rules (node-specific)
template:
src: "{{inventory_hostname}}.user6.rules.j2"
dest: "/etc/ufw/user6.rules"
owner: root
group: root
mode: 0640
ignore_errors: true
no_log: true
# ----------------------------------------------------------------------------------------------------
- name: UFW default deny routed
community.general.ufw:
default: deny
direction: routed
- name: UFW default deny incoming
community.general.ufw:
default: deny
direction: incoming
- name: UFW default allow outgoing
community.general.ufw:
default: allow
direction: outgoing
# ----------------------------------------------------------------------------------------------------
- name: UFW enable
community.general.ufw:
state: enabled

59
roles/ufw-opnxng/templates/oracle4.user.rules.j2 Normal file
View File

@ -0,0 +1,59 @@
*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###
### tuple ### allow tcp {{ ssh_port }} 0.0.0.0/0 any {{ wireguard_mesh_subnet }}/16 in
-A ufw-user-input -p tcp --dport {{ ssh_port }} -s {{ wireguard_mesh_subnet }}/16 -j ACCEPT
### tuple ### allow tcp 8870 0.0.0.0/0 any {{ oracle_ipv4_cidr_block }}/16 in
-A ufw-user-input -p tcp --dport 8870 -s {{ oracle_ipv4_cidr_block }}/16 -j ACCEPT
### tuple ### allow tcp 8870 0.0.0.0/0 any {{ wireguard_mesh_subnet }}/16 in
-A ufw-user-input -p tcp --dport 8870 -s {{ wireguard_mesh_subnet }}/16 -j ACCEPT
### tuple ### allow tcp 2049 0.0.0.0/0 any {{ wireguard_mesh_subnet }}/16 in
-A ufw-user-input -p tcp --dport 2049 -s {{ wireguard_mesh_subnet }}/16 -j ACCEPT
### tuple ### allow udp 51820 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p udp --dport 51820 -j ACCEPT
### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 80 -j ACCEPT
### tuple ### allow tcp 443 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p tcp --dport 443 -j ACCEPT
### tuple ### allow udp 443 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p udp --dport 443 -j ACCEPT
### END RULES ###
### LOGGING ###
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###
### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT

44
roles/ufw-opnxng/templates/oracle4.user6.rules.j2 Normal file
View File

@ -0,0 +1,44 @@
*filter
:ufw6-user-input - [0:0]
:ufw6-user-output - [0:0]
:ufw6-user-forward - [0:0]
:ufw6-before-logging-input - [0:0]
:ufw6-before-logging-output - [0:0]
:ufw6-before-logging-forward - [0:0]
:ufw6-user-logging-input - [0:0]
:ufw6-user-logging-output - [0:0]
:ufw6-user-logging-forward - [0:0]
:ufw6-after-logging-input - [0:0]
:ufw6-after-logging-output - [0:0]
:ufw6-after-logging-forward - [0:0]
:ufw6-logging-deny - [0:0]
:ufw6-logging-allow - [0:0]
:ufw6-user-limit - [0:0]
:ufw6-user-limit-accept - [0:0]
### RULES ###
### tuple ### allow tcp 80 ::/0 any ::/0 in
-A ufw6-user-input -p tcp --dport 80 -j ACCEPT
### tuple ### allow tcp 443 ::/0 any ::/0 in
-A ufw6-user-input -p tcp --dport 443 -j ACCEPT
### tuple ### allow udp 443 ::/0 any ::/0 in
-A ufw6-user-input -p udp --dport 443 -j ACCEPT
### END RULES ###
### LOGGING ###
-A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###
### RATE LIMITING ###
-A ufw6-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw6-user-limit -j REJECT
-A ufw6-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT

50
roles/ufw-opnxng/templates/user.rules.j2 Normal file
View File

@ -0,0 +1,50 @@
*filter
:ufw-user-input - [0:0]
:ufw-user-output - [0:0]
:ufw-user-forward - [0:0]
:ufw-before-logging-input - [0:0]
:ufw-before-logging-output - [0:0]
:ufw-before-logging-forward - [0:0]
:ufw-user-logging-input - [0:0]
:ufw-user-logging-output - [0:0]
:ufw-user-logging-forward - [0:0]
:ufw-after-logging-input - [0:0]
:ufw-after-logging-output - [0:0]
:ufw-after-logging-forward - [0:0]
:ufw-logging-deny - [0:0]
:ufw-logging-allow - [0:0]
:ufw-user-limit - [0:0]
:ufw-user-limit-accept - [0:0]
### RULES ###
### tuple ### allow tcp {{ ssh_port }} 0.0.0.0/0 any {{ wireguard_mesh_subnet }}/16 in
-A ufw-user-input -p tcp --dport {{ ssh_port }} -s {{ wireguard_mesh_subnet }}/16 -j ACCEPT
### tuple ### allow tcp 8870 0.0.0.0/0 any {{ oracle_ipv4_cidr_block }}/16 in
-A ufw-user-input -p tcp --dport 8870 -s {{ oracle_ipv4_cidr_block }}/16 -j ACCEPT
### tuple ### allow tcp 8870 0.0.0.0/0 any {{ wireguard_mesh_subnet }}/16 in
-A ufw-user-input -p tcp --dport 8870 -s {{ wireguard_mesh_subnet }}/16 -j ACCEPT
### tuple ### allow tcp 2049 0.0.0.0/0 any {{ wireguard_mesh_subnet }}/16 in
-A ufw-user-input -p tcp --dport 2049 -s {{ wireguard_mesh_subnet }}/16 -j ACCEPT
### tuple ### allow udp 51820 0.0.0.0/0 any 0.0.0.0/0 in
-A ufw-user-input -p udp --dport 51820 -j ACCEPT
### END RULES ###
### LOGGING ###
-A ufw-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###
### RATE LIMITING ###
-A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw-user-limit -j REJECT
-A ufw-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT

35
roles/ufw-opnxng/templates/user6.rules.j2 Normal file
View File

@ -0,0 +1,35 @@
*filter
:ufw6-user-input - [0:0]
:ufw6-user-output - [0:0]
:ufw6-user-forward - [0:0]
:ufw6-before-logging-input - [0:0]
:ufw6-before-logging-output - [0:0]
:ufw6-before-logging-forward - [0:0]
:ufw6-user-logging-input - [0:0]
:ufw6-user-logging-output - [0:0]
:ufw6-user-logging-forward - [0:0]
:ufw6-after-logging-input - [0:0]
:ufw6-after-logging-output - [0:0]
:ufw6-after-logging-forward - [0:0]
:ufw6-logging-deny - [0:0]
:ufw6-logging-allow - [0:0]
:ufw6-user-limit - [0:0]
:ufw6-user-limit-accept - [0:0]
### RULES ###
### END RULES ###
### LOGGING ###
-A ufw6-after-logging-input -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw6-after-logging-forward -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-I ufw6-logging-deny -m conntrack --ctstate INVALID -j RETURN -m limit --limit 3/min --limit-burst 10
-A ufw6-logging-deny -j LOG --log-prefix "[UFW BLOCK] " -m limit --limit 3/min --limit-burst 10
-A ufw6-logging-allow -j LOG --log-prefix "[UFW ALLOW] " -m limit --limit 3/min --limit-burst 10
### END LOGGING ###
### RATE LIMITING ###
-A ufw6-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT BLOCK] "
-A ufw6-user-limit -j REJECT
-A ufw6-user-limit-accept -j ACCEPT
### END RATE LIMITING ###
COMMIT

106
roles/ufw/tasks/main.yml
View File

@ -1,106 +0,0 @@
- name: Install UFW
apt:
name:
- ufw
state: latest
install_recommends: false
# ----------------------------------------------------------------------------------------------------
- name: UFW allow {{ wireguard_port }} UDP for Wireguard
community.general.ufw:
rule: allow
src: 0.0.0.0/0
dest: any
proto: udp
port: {{ wireguard_port }}
# ----------------------------------------------------------------------------------------------------
- name: UFW allow {{ ssh_port }} TCP
community.general.ufw:
rule: allow
src: {{ wireguard_mesh_subnet }}/16
dest: any
proto: tcp
port: {{ ssh_port }}
# ----------------------------------------------------------------------------------------------------
- name: UFW allow 8870 from {{ oracle_ipv4_cidr_block }}/16 TCP for Socks Proxy
community.general.ufw:
rule: allow
src: {{ oracle_ipv4_cidr_block }}/16
dest: any
proto: tcp
port: 8870
when:
- inventory_hostname in groups["oracle"]
- name: UFW allow 8870 from {{ wireguard_mesh_subnet }}/16 TCP for Socks Proxy
community.general.ufw:
rule: allow
src: {{ wireguard_mesh_subnet }}/16
dest: any
proto: tcp
port: 8870
- name: UFW allow NFS TCP
community.general.ufw:
rule: allow
src: {{ wireguard_mesh_subnet }}/16
dest: any
proto: tcp
port: 2049
# ----------------------------------------------------------------------------------------------------
- name: UFW allow 80 TCP
community.general.ufw:
rule: allow
src: any
dest: any
proto: tcp
port: 80
when: inventory_hostname == 'oracle4'
- name: UFW allow 443 TCP
community.general.ufw:
rule: allow
src: any
dest: any
proto: tcp
port: 443
when: inventory_hostname == 'oracle4'
- name: UFW allow 443 UDP
community.general.ufw:
rule: allow
src: any
dest: any
proto: udp
port: 443
when: inventory_hostname == 'oracle4'
# ----------------------------------------------------------------------------------------------------
- name: UFW default deny routed
community.general.ufw:
default: deny
direction: routed
- name: UFW default deny incoming
community.general.ufw:
default: deny
direction: incoming
- name: UFW default allow outgoing
community.general.ufw:
default: allow
direction: outgoing
# ----------------------------------------------------------------------------------------------------
- name: UFW enable
community.general.ufw:
state: enabled

26
roles/unattended-upgrades/tasks/main.yaml Normal file
View File

@ -0,0 +1,26 @@
- name: Install packages
apt:
name:
- unattended-upgrades
- apt-listchanges
state: latest
install_recommends: false
# ----------------------------------------------------------------------------------------------------
- name: Copy unattended-upgrades configuration files in place
template:
src: "{{ item }}.j2"
dest: "/etc/apt/apt.conf.d/{{ item }}"
owner: root
group: root
mode: 0644
with_items:
- 20auto-upgrades
- 50unattended-upgrades
- name: Enable unattended-upgrades service
service:
name: unattended-upgrades
enabled: true
state: started

26
roles/unattended-upgrades/tasks/main.yml
View File

@ -1,26 +0,0 @@
- name: Install packages
apt:
name:
- unattended-upgrades
- apt-listchanges
state: latest
install_recommends: false
# ----------------------------------------------------------------------------------------------------
- name: Copy unattended-upgrades configuration files in place.
template:
src: "{{ item }}.j2"
dest: "/etc/apt/apt.conf.d/{{ item }}"
owner: root
group: root
mode: 0644
with_items:
- 20auto-upgrades
- 50unattended-upgrades
- name: Enable unattended-upgrades service
service:
name: unattended-upgrades
enabled: true
state: started

26
set-up.yml → set-up.yaml
View File

@ -1,28 +1,18 @@
---
- name: Set up VPS
hosts: all
gather_facts: true
# gather_facts: true
vars_files:
- vars/secrets.yml
- vars/secrets.yaml
become: true
# ----------------------------------------------------------------------------------------------------
pre_tasks:
- name: Lock root password
user: name=root password='!'
- name: Set hostname
command: "hostnamectl set-hostname {{ inventory_hostname }}"
- name: Set timezone to Asia/Singapore
community.general.timezone:
name: {{ TZ }}
become: true
- name: Install packages
apt:
name:
- neovim
- iputils-ping
- cron
- git
@ -39,11 +29,15 @@
# ----------------------------------------------------------------------------------------------------
roles:
- nfs
- disable-root
- timezone
- chrony
- hostname
- sources-list
- ssh
- ufw-opnxng
- fail2ban
- unattended-upgrades
- nfs-opnxng
- docker
#- docker-buildx
- ssh
- ufw

0
vars/secrets.example.yml → vars/secrets.example.yaml
View File