commit 6db09bee8c68f7acdcd9464453b63ae770748792
parent 97dcec081e1f2e8327a29921ed139d1bc74c551c
Author: Leah (ctucx) <leah@ctu.cx>
Date: Fri, 11 Jun 2021 11:43:42 +0200
parent 97dcec081e1f2e8327a29921ed139d1bc74c551c
Author: Leah (ctucx) <leah@ctu.cx>
Date: Fri, 11 Jun 2021 11:43:42 +0200
add host maikaefer
3 files changed, 419 insertions(+), 0 deletions(-)
A
|
86
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A
|
306
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/config-files/nftables/maikaefer.nft b/config-files/nftables/maikaefer.nft @@ -0,0 +1,86 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet firewall { + chain inbound { + # By default, drop all traffic unless it meets a filter + # criteria specified by the rules that follow below. + type filter hook input priority 0; + policy drop; + + # Allow traffic from established and related packets. + ct state established,related accept + + # Drop invalid packets. + ct state invalid drop + + # Allow local connections. + iifname lo accept + iifname brlan accept + + # Allow all ICMP and IGMP traffic, but enforce a rate limit + # to help prevent some types of flood attacks. + ip protocol icmp limit rate 5/second accept + ip protocol igmp limit rate 5/second accept + #ip6 protocol ipv6-icmp icmpv6-type redirect drop + #ip6 protocol ipv6-icmp icmpv6-type 139 drop + ip6 nexthdr ipv6-icmp limit rate 5/second accept + + # Allow some ports + tcp dport ssh accept comment "ssh" + tcp dport domain accept comment "dns (tcp)" + udp dport domain accept comment "dns (udp)" + tcp dport http accept comment "http" + tcp dport https accept comment "https" + tcp dport 22000 accept comment "syncthing" + udp dport 21027 accept comment "syncthing" + tcp dport 5201 accept comment "iperf3 (tcp)" + udp dport 5201 accept comment "iperf3 (udp)" + } + + chain forward { + # By default, drop all traffic unless it meets a filter + type filter hook forward priority 0; + policy drop; + + # Allow traffic from established and related packets. + ct state established,related accept + + # Drop invalid packets. + ct state invalid drop + + # local clients can do whatever + iifname brlan accept + + # Allow all ICMP and IGMP traffic, but enforce a rate limit + # to help prevent some types of flood attacks. + ip protocol icmp limit rate 5/second accept + ip6 nexthdr ipv6-icmp limit rate 5/second accept + ip protocol igmp limit rate 5/second accept + + #make public ips world accessible + ip daddr 195.39.246.32/28 accept + } + + chain outbound { + # Allow all outbound traffic + type filter hook output priority 0 + policy accept + } + +} + +table ip nat { + chain prerouting { + type nat hook prerouting priority -100 + policy accept + } + + chain postrouting { + type nat hook postrouting priority 0 + policy accept + oifname enp2s0 masquerade + } +} +include "/etc/nftables.d/*.nft"
diff --git a/configuration/maikaefer.yml b/configuration/maikaefer.yml @@ -0,0 +1,306 @@ +system: + hostname: maikaefer + domain: ctu.cx + timezone: Europe/Berlin + enableOwnRepos: false + enableSudo: true + useNTP: true + extraPackages: + - iftop + - iotop + - htop + - rsync + - mtr + - traceroute + - dnsutils + - tar + - unzip + - wget + - curl + users: + - name: root + allowedSshKeys: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829 + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:000606445161 + - name: leah + groups: "wheel" + shell: /usr/bin/bash + password: "{{ lookup('diskcache', 'passwordstore', 'Server/leah.password')}}" + allowedSshKeys: + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829 + - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:000606445161 + - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e isa@Isabelles-MacBook-Pro.local + +network: + ipForwarding: true + nftables: + enable: true + configFile: config-files/nftables/maikaefer.nft + +networkd: + networkd_resolv_conf_content: + - nameserver 1.1.1.1 + - nameserver 8.8.8.8 + networkd_apply_action: "restart" + netdev: + - name: enp2s0.5 + priority: 20 + content: + - NetDev: + - Name: enp2s0.5 + - Kind: vlan + - VLAN: + - Id: 5 + - name: wg-pbb + priority: 30 + content: + - NetDev: + - Name: wg-pbb + - Kind: wireguard + - WireGuard: + - PrivateKey: "{{ lookup('diskcache', 'passwordstore', 'Server/maikaefer/wireguard.privkey returnall=true') }}" + - FirewallMark: 51820 + - WireGuardPeer: + - PublicKey: "{{ lookup('diskcache', 'passwordstore', 'Server/desastro/wireguard.pubkey returnall=true') }}" + - AllowedIPs: "0.0.0.0/0, ::/0" + - Endpoint: "195.39.247.172:51820" + - PersistentKeepalive: 10 + - name: brlan + priority: 40 + content: + - NetDev: + - Name: brlan + - Kind: bridge + network: + - name: enp2s0 + priority: 20 + content: + - Match: + - Name: enp2s0 + - Network: +# - DHCP: yes + - VLAN: enp2s0.5 + - Brige: brlan + - name: enp2s0.5 + priority: 20 + content: + - Match: + - Name: enp2s0.5 + - Network: + - DHCP: yes +# - Bridge: brlan + - name: wg-pbb + priority: 30 + content: + - Match: + - Name: wg-pbb + - Link: + - MTUBytes: 1472 + - Route: + - Destination: 0.0.0.0/0 + - Table: 1234 + - Route: + - Destination: ::/0 + - Table: 1234 + - name: brlan + priority: 40 + content: + - Match: + - Name: brlan + - Driver: bridge + - Network: + - DHCP: no + - Address: 195.39.246.33/28 + - Address: 10.0.0.1/24 + - Address: 2a0f:4ac0:acab::1/62 + - RoutingPolicyRule: + - From: 195.39.246.32/28 + - Table: 254 + - Priority: 1900 + - SuppressPrefixLength: 0 + - RoutingPolicyRule: + - From: 2a0f:4ac0:acab::/62 + - Table: 254 + - Priority: 1900 + - SuppressPrefixLength: 0 + - RoutingPolicyRule: + - From: 195.39.246.32/28 + - Table: 1234 + - Priority: 2000 + - RoutingPolicyRule: + - From: 2a0f:4ac0:acab::/62 + - Table: 1234 + - Priority: 2000 + - name: usb-tetherring + priority: 91 + content: + - Match: + - Name: enp*s*u* + - Network: + - DHCP: yes + +files: + /var/lib/websites: + state: "directory" + mode: "0755" + owner: "leah" + group: "http" + /var/lib/websites/dnsmasq.home.ctu.cx: + state: "directory" + mode: "0755" + owner: "leah" + group: "http" + +services: + openssh: + enable: true + port: 22 + permitRootLogin: true + passwordAuthentication: false + + prometheus_node_exporter: + enable: true + + vnstat: + enable: true + + acme_redirect: + enable: true + email: lets-encrypt@ctu.cx + renew_if_days_left: 30 + certs: + maikaefer.ctu.cx: + renewTasks: + - systemctl restart nginx + home.ctu.cx: + extraDnsNames: + - legacy.home.ctu.cx + renewTasks: + - systemctl restart nginx + dnsmasq.home.ctu.cx: + renewTasks: + - systemctl restart nginx + + php_fpm: + enable: true + version: 8 + extraModules: + - gd + - intl + listeners: + www: + user: leah + group: leah + listenerPath: /run/php-fpm/php-fpm.sock + listenerOwner: http + listenerGroup: http + + nginx: + enable: true + sslOnly: true + vhosts: + maikaefer.ctu.cx: + defaultserver: true + ssl: + enable: true + cert: "/var/lib/acme-redirect/live/maikaefer.ctu.cx/fullchain" + privkey: "/var/lib/acme-redirect/live/maikaefer.ctu.cx/privkey" + locations: + - path: /node-exporter + proxy: http://127.0.0.1:9100/metrics + dnsmasq.home.ctu.cx: + root: /var/lib/websites/dnsmasq.home.ctu.cx + extraConfig: " + try_files $uri $uri/ /index.php?$query_string; + " + enablePhpSupport: true + phpSocket: /run/php-fpm/php-fpm.sock + ssl: + enable: true + cert: "/var/lib/acme-redirect/live/dnsmasq.home.ctu.cx/fullchain" + privkey: "/var/lib/acme-redirect/live/dnsmasq.home.ctu.cx/privkey" + + dnsmasq: + enable: true + local_service: true + no_resolv: true + no_hosts: true + domain_needed: true + bogus_priv: true + expand_hosts: false + read_ethers: false + enable_ra: true + quiet_ra: true + domain: home.ctu.cx + auth_ttl: 600 + auth_server: home.ctu.cx, wg-pbb + auth_zones: + - home.ctu.cx, 10.0.0.1/24, 195.39.246.32/28, 2a0f:4ac0:acab::1/64 + local_addresses: + - /fritz.box/192.168.178.1 + - /lollo/10.0.0.1 + - /isa-nuc/195.39.246.41 + addresses: + - home.ctu.cx, 195.39.246.33, 2a0f:4ac0:acab::1 + - legacy.home.ctu.cx, 195.39.246.33, 2a0f:4ac0:acab::1 + - dnsmasq.home.ctu.cx, 195.39.246.33, 2a0f:4ac0:acab::1 + - music.home.ctu.cx, 195.39.246.42, 2a0f:4ac0:acab::1 + - influx.home.ctu.cx, 195.39.246.42, 2a0f:4ac0:acab::1 + - isa-nuc.home.ctu.cx, 195.39.246.41, 2a0f:4ac0:acab::41 + dns_servers: + - 1.1.1.1 + - 1.0.0.1 + - 8.8.8.8 + - 8.8.4.4 + dhcp: + authoritative: true + rapid_commit: true + sequential_ip: true + options: + - option6:information-refresh-time, 6h + - option6:dns-server, [2a0f:4ac0:acab::1] + - private, option:router, 10.0.0.1 + - private, option:dns-server, 10.0.0.1 + - public, option:router, 195.39.246.33 + - public, option:dns-server, 195.39.246.33 + ranges: + - private, 10.0.0.100, 10.0.0.200, 255.255.255.0, 48h + - public, 195.39.246.34, static, 255.255.255.240, 195.39.246.47, 48h + - 2a0f:4ac0:acab::100, 2a0f:4ac0:acab::01ff, ra-names,slaac, 64, 48h + hosts: + # accesspoint + - f4:06:8d:df:1f:e3, accesspoint, 10.0.0.2 + # ctucx macbook + - id:00:01:00:01:27:51:55:30:80:e6:50:21:e0:6a, toaster, [2a0f:4ac0:acab::34] + - 80:e6:50:21:e0:6a, toaster, 195.39.246.34 + # ctucx thinkcentre + - id:e8:6a:64:f4:49:e7, stasicontainer, [2a0f:4ac0:acab::39] + - e8:6a:64:f4:49:e7, stasicontainer, 195.39.246.39 + # ctucx thinkpad x390 (mac: wlan, eth) + - id:04:ea:56:3c:bc:ac, coladose, [2a0f:4ac0:acab::35] + - 04:ea:56:3c:bc:ac, e8:6a:64:d6:e3:33, coladose, 195.39.246.35 + # isa macbook + - id:00:01:00:01:23:53:5d:7e:6c:40:08:af:2e:9c, isabelles-mbp, [2a0f:4ac0:acab::38] + - 6c:40:08:af:2e:9c, isabelles-mbp, 195.39.246.38 + # isa thinkpad x390 + - id:04:ea:56:f2:b4:6c, isa-x390, [2a0f:4ac0:acab::36] + - 04:ea:56:f2:b4:6c, isa-x390, 195.39.246.36 + # isa p2max + - id:ac:67:5d:12:2f:5a, isa-p2max, [2a0f:4ac0:acab::40] + - ac:67:5d:12:2f:5a, isa-p2max, 195.39.246.40 + # isa nuc + - id:1c:69:7a:61:61:bf, isa-nuc, [2a0f:4ac0:acab::41] + - 1c:69:7a:61:61:bf, isa-nuc, 195.39.246.41 + + frpc: + enable: true + serverAddress: osterei.ctu.cx + serverPort: 5050 + token: "{{ lookup('diskcache', 'passwordstore', 'Server/osterei/frps/token returnall=true')}}" + dashboard: false + tunnels: + - name: maikaefer-ssh + type: tcp + local_ip: 127.0.0.1 + local_port: 22 + remote_port: 2203
diff --git a/playbook.yml b/playbook.yml @@ -154,6 +154,33 @@ - role: rest-server tags: [ backup, rest-server, restic ] +- hosts: maikaefer + name: Install maikaefer + vars_files: configuration/maikaefer.yml + roles: + - role: common + tags: common + - role: openssh + tags: [ openssh, common ] + - role: files + tags: files + - role: systemd-timers + tags: timers + - role: systemd-networkd + tags: systemd-networkd + - role: vnstat + tags: vnstat + - role: php-fpm + tags: php-fpm +# - role: nginx +# tags: nginx + - role: dnsmasq + tags: dnsmasq +# - role: frpc +# tags: +# - frp +# - frpc + - hosts: stasicontainer name: Install stasicontainer vars_files: configuration/stasicontainer.yml