commit 588507afe2ac85e3a022343addb6efbbdaae4994
parent 75e4b4f209f4b6aceee6d8366df3bff9669e8ea8
Author: Leah (ctucx) <leah@ctu.cx>
Date: Sat, 23 Oct 2021 22:44:41 +0200
parent 75e4b4f209f4b6aceee6d8366df3bff9669e8ea8
Author: Leah (ctucx) <leah@ctu.cx>
Date: Sat, 23 Oct 2021 22:44:41 +0200
remove maikaefer
3 files changed, 0 insertions(+), 419 deletions(-)
D
|
86
-------------------------------------------------------------------------------
D
|
306
-------------------------------------------------------------------------------
diff --git a/config-files/nftables/maikaefer.nft b/config-files/nftables/maikaefer.nft @@ -1,86 +0,0 @@ -#!/usr/sbin/nft -f - -flush ruleset - -table inet firewall { - chain inbound { - # By default, drop all traffic unless it meets a filter - # criteria specified by the rules that follow below. - type filter hook input priority 0; - policy drop; - - # Allow traffic from established and related packets. - ct state established,related accept - - # Drop invalid packets. - ct state invalid drop - - # Allow local connections. - iifname lo accept - iifname brlan accept - - # Allow all ICMP and IGMP traffic, but enforce a rate limit - # to help prevent some types of flood attacks. - ip protocol icmp limit rate 5/second accept - ip protocol igmp limit rate 5/second accept - #ip6 protocol ipv6-icmp icmpv6-type redirect drop - #ip6 protocol ipv6-icmp icmpv6-type 139 drop - ip6 nexthdr ipv6-icmp limit rate 5/second accept - - # Allow some ports - tcp dport ssh accept comment "ssh" - tcp dport domain accept comment "dns (tcp)" - udp dport domain accept comment "dns (udp)" - tcp dport http accept comment "http" - tcp dport https accept comment "https" - tcp dport 22000 accept comment "syncthing" - udp dport 21027 accept comment "syncthing" - tcp dport 5201 accept comment "iperf3 (tcp)" - udp dport 5201 accept comment "iperf3 (udp)" - } - - chain forward { - # By default, drop all traffic unless it meets a filter - type filter hook forward priority 0; - policy drop; - - # Allow traffic from established and related packets. - ct state established,related accept - - # Drop invalid packets. - ct state invalid drop - - # local clients can do whatever - iifname brlan accept - - # Allow all ICMP and IGMP traffic, but enforce a rate limit - # to help prevent some types of flood attacks. - ip protocol icmp limit rate 5/second accept - ip6 nexthdr ipv6-icmp limit rate 5/second accept - ip protocol igmp limit rate 5/second accept - - #make public ips world accessible - ip daddr 195.39.246.32/28 accept - } - - chain outbound { - # Allow all outbound traffic - type filter hook output priority 0 - policy accept - } - -} - -table ip nat { - chain prerouting { - type nat hook prerouting priority -100 - policy accept - } - - chain postrouting { - type nat hook postrouting priority 0 - policy accept - oifname enp2s0 masquerade - } -} -include "/etc/nftables.d/*.nft"
diff --git a/configuration/maikaefer.yml b/configuration/maikaefer.yml @@ -1,306 +0,0 @@ -system: - hostname: maikaefer - domain: ctu.cx - timezone: Europe/Berlin - enableOwnRepos: false - enableSudo: true - useNTP: true - extraPackages: - - iftop - - iotop - - htop - - rsync - - mtr - - traceroute - - dnsutils - - tar - - unzip - - wget - - curl - users: - - name: root - allowedSshKeys: - - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829 - - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:000606445161 - - name: leah - groups: "wheel" - shell: /usr/bin/bash - password: "{{ lookup('diskcache', 'passwordstore', 'Server/leah.password')}}" - allowedSshKeys: - - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829 - - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:000606445161 - - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e isa@Isabelles-MacBook-Pro.local - -network: - ipForwarding: true - nftables: - enable: true - configFile: config-files/nftables/maikaefer.nft - -networkd: - networkd_resolv_conf_content: - - nameserver 1.1.1.1 - - nameserver 8.8.8.8 - networkd_apply_action: "restart" - netdev: - - name: enp2s0.5 - priority: 20 - content: - - NetDev: - - Name: enp2s0.5 - - Kind: vlan - - VLAN: - - Id: 5 - - name: wg-pbb - priority: 30 - content: - - NetDev: - - Name: wg-pbb - - Kind: wireguard - - WireGuard: - - PrivateKey: "{{ lookup('diskcache', 'passwordstore', 'Server/maikaefer/wireguard.privkey returnall=true') }}" - - FirewallMark: 51820 - - WireGuardPeer: - - PublicKey: "{{ lookup('diskcache', 'passwordstore', 'Server/desastro/wireguard.pubkey returnall=true') }}" - - AllowedIPs: "0.0.0.0/0, ::/0" - - Endpoint: "195.39.247.172:51820" - - PersistentKeepalive: 10 - - name: brlan - priority: 40 - content: - - NetDev: - - Name: brlan - - Kind: bridge - network: - - name: enp2s0 - priority: 20 - content: - - Match: - - Name: enp2s0 - - Network: -# - DHCP: yes - - VLAN: enp2s0.5 - - Brige: brlan - - name: enp2s0.5 - priority: 20 - content: - - Match: - - Name: enp2s0.5 - - Network: - - DHCP: yes -# - Bridge: brlan - - name: wg-pbb - priority: 30 - content: - - Match: - - Name: wg-pbb - - Link: - - MTUBytes: 1472 - - Route: - - Destination: 0.0.0.0/0 - - Table: 1234 - - Route: - - Destination: ::/0 - - Table: 1234 - - name: brlan - priority: 40 - content: - - Match: - - Name: brlan - - Driver: bridge - - Network: - - DHCP: no - - Address: 195.39.246.33/28 - - Address: 10.0.0.1/24 - - Address: 2a0f:4ac0:acab::1/62 - - RoutingPolicyRule: - - From: 195.39.246.32/28 - - Table: 254 - - Priority: 1900 - - SuppressPrefixLength: 0 - - RoutingPolicyRule: - - From: 2a0f:4ac0:acab::/62 - - Table: 254 - - Priority: 1900 - - SuppressPrefixLength: 0 - - RoutingPolicyRule: - - From: 195.39.246.32/28 - - Table: 1234 - - Priority: 2000 - - RoutingPolicyRule: - - From: 2a0f:4ac0:acab::/62 - - Table: 1234 - - Priority: 2000 - - name: usb-tetherring - priority: 91 - content: - - Match: - - Name: enp*s*u* - - Network: - - DHCP: yes - -files: - /var/lib/websites: - state: "directory" - mode: "0755" - owner: "leah" - group: "http" - /var/lib/websites/dnsmasq.home.ctu.cx: - state: "directory" - mode: "0755" - owner: "leah" - group: "http" - -services: - openssh: - enable: true - port: 22 - permitRootLogin: true - passwordAuthentication: false - - prometheus_node_exporter: - enable: true - - vnstat: - enable: true - - acme_redirect: - enable: true - email: lets-encrypt@ctu.cx - renew_if_days_left: 30 - certs: - maikaefer.ctu.cx: - renewTasks: - - systemctl restart nginx - home.ctu.cx: - extraDnsNames: - - legacy.home.ctu.cx - renewTasks: - - systemctl restart nginx - dnsmasq.home.ctu.cx: - renewTasks: - - systemctl restart nginx - - php_fpm: - enable: true - version: 8 - extraModules: - - gd - - intl - listeners: - www: - user: leah - group: leah - listenerPath: /run/php-fpm/php-fpm.sock - listenerOwner: http - listenerGroup: http - - nginx: - enable: true - sslOnly: true - vhosts: - maikaefer.ctu.cx: - defaultserver: true - ssl: - enable: true - cert: "/var/lib/acme-redirect/live/maikaefer.ctu.cx/fullchain" - privkey: "/var/lib/acme-redirect/live/maikaefer.ctu.cx/privkey" - locations: - - path: /node-exporter - proxy: http://127.0.0.1:9100/metrics - dnsmasq.home.ctu.cx: - root: /var/lib/websites/dnsmasq.home.ctu.cx - extraConfig: " - try_files $uri $uri/ /index.php?$query_string; - " - enablePhpSupport: true - phpSocket: /run/php-fpm/php-fpm.sock - ssl: - enable: true - cert: "/var/lib/acme-redirect/live/dnsmasq.home.ctu.cx/fullchain" - privkey: "/var/lib/acme-redirect/live/dnsmasq.home.ctu.cx/privkey" - - dnsmasq: - enable: true - local_service: true - no_resolv: true - no_hosts: true - domain_needed: true - bogus_priv: true - expand_hosts: false - read_ethers: false - enable_ra: true - quiet_ra: true - domain: home.ctu.cx - auth_ttl: 600 - auth_server: home.ctu.cx, wg-pbb - auth_zones: - - home.ctu.cx, 10.0.0.1/24, 195.39.246.32/28, 2a0f:4ac0:acab::1/64 - local_addresses: - - /fritz.box/192.168.178.1 - - /lollo/10.0.0.1 - - /isa-nuc/195.39.246.41 - addresses: - - home.ctu.cx, 195.39.246.33, 2a0f:4ac0:acab::1 - - legacy.home.ctu.cx, 195.39.246.33, 2a0f:4ac0:acab::1 - - dnsmasq.home.ctu.cx, 195.39.246.33, 2a0f:4ac0:acab::1 - - music.home.ctu.cx, 195.39.246.42, 2a0f:4ac0:acab::1 - - influx.home.ctu.cx, 195.39.246.42, 2a0f:4ac0:acab::1 - - isa-nuc.home.ctu.cx, 195.39.246.41, 2a0f:4ac0:acab::41 - dns_servers: - - 1.1.1.1 - - 1.0.0.1 - - 8.8.8.8 - - 8.8.4.4 - dhcp: - authoritative: true - rapid_commit: true - sequential_ip: true - options: - - option6:information-refresh-time, 6h - - option6:dns-server, [2a0f:4ac0:acab::1] - - private, option:router, 10.0.0.1 - - private, option:dns-server, 10.0.0.1 - - public, option:router, 195.39.246.33 - - public, option:dns-server, 195.39.246.33 - ranges: - - private, 10.0.0.100, 10.0.0.200, 255.255.255.0, 48h - - public, 195.39.246.34, static, 255.255.255.240, 195.39.246.47, 48h - - 2a0f:4ac0:acab::100, 2a0f:4ac0:acab::01ff, ra-names,slaac, 64, 48h - hosts: - # accesspoint - - f4:06:8d:df:1f:e3, accesspoint, 10.0.0.2 - # ctucx macbook - - id:00:01:00:01:27:51:55:30:80:e6:50:21:e0:6a, toaster, [2a0f:4ac0:acab::34] - - 80:e6:50:21:e0:6a, toaster, 195.39.246.34 - # ctucx thinkcentre - - id:e8:6a:64:f4:49:e7, stasicontainer, [2a0f:4ac0:acab::39] - - e8:6a:64:f4:49:e7, stasicontainer, 195.39.246.39 - # ctucx thinkpad x390 (mac: wlan, eth) - - id:04:ea:56:3c:bc:ac, coladose, [2a0f:4ac0:acab::35] - - 04:ea:56:3c:bc:ac, e8:6a:64:d6:e3:33, coladose, 195.39.246.35 - # isa macbook - - id:00:01:00:01:23:53:5d:7e:6c:40:08:af:2e:9c, isabelles-mbp, [2a0f:4ac0:acab::38] - - 6c:40:08:af:2e:9c, isabelles-mbp, 195.39.246.38 - # isa thinkpad x390 - - id:04:ea:56:f2:b4:6c, isa-x390, [2a0f:4ac0:acab::36] - - 04:ea:56:f2:b4:6c, isa-x390, 195.39.246.36 - # isa p2max - - id:ac:67:5d:12:2f:5a, isa-p2max, [2a0f:4ac0:acab::40] - - ac:67:5d:12:2f:5a, isa-p2max, 195.39.246.40 - # isa nuc - - id:1c:69:7a:61:61:bf, isa-nuc, [2a0f:4ac0:acab::41] - - 1c:69:7a:61:61:bf, isa-nuc, 195.39.246.41 - - frpc: - enable: true - serverAddress: osterei.ctu.cx - serverPort: 5050 - token: "{{ lookup('diskcache', 'passwordstore', 'Server/osterei/frps/token returnall=true')}}" - dashboard: false - tunnels: - - name: maikaefer-ssh - type: tcp - local_ip: 127.0.0.1 - local_port: 22 - remote_port: 2203
diff --git a/playbook.yml b/playbook.yml @@ -133,33 +133,6 @@ - role: rest-server tags: [ backup, rest-server, restic ] -- hosts: maikaefer - name: Install maikaefer - vars_files: configuration/maikaefer.yml - roles: - - role: common - tags: common - - role: openssh - tags: [ openssh, common ] - - role: files - tags: files - - role: systemd-timers - tags: timers - - role: systemd-networkd - tags: systemd-networkd - - role: vnstat - tags: vnstat - - role: php-fpm - tags: php-fpm -# - role: nginx -# tags: nginx - - role: dnsmasq - tags: dnsmasq -# - role: frpc -# tags: -# - frp -# - frpc - - hosts: stasicontainer name: Install stasicontainer vars_files: configuration/stasicontainer.yml