ctucx.git: ansible-configs

My personal ansible roles and playbooks [deprecated in favor of nixos]

commit 6db09bee8c68f7acdcd9464453b63ae770748792
parent 97dcec081e1f2e8327a29921ed139d1bc74c551c
Author: Leah (ctucx) <leah@ctu.cx>
Date: Fri, 11 Jun 2021 11:43:42 +0200

add host maikaefer
3 files changed, 419 insertions(+), 0 deletions(-)
A
config-files/nftables/maikaefer.nft
|
86
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A
configuration/maikaefer.yml
|
306
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
M
playbook.yml
|
27
+++++++++++++++++++++++++++
diff --git a/config-files/nftables/maikaefer.nft b/config-files/nftables/maikaefer.nft
@@ -0,0 +1,86 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet firewall {
+    chain inbound {
+    	# By default, drop all traffic unless it meets a filter
+    	# criteria specified by the rules that follow below.
+        type filter hook input priority 0;
+        policy drop;
+
+        # Allow traffic from established and related packets.
+        ct state established,related accept
+
+        # Drop invalid packets.
+        ct state invalid drop
+
+        # Allow local connections.
+        iifname lo accept
+        iifname brlan accept
+
+        # Allow all ICMP and IGMP traffic, but enforce a rate limit
+        # to help prevent some types of flood attacks.
+        ip protocol icmp limit rate 5/second accept
+        ip protocol igmp limit rate 5/second accept
+        #ip6 protocol ipv6-icmp icmpv6-type redirect drop
+        #ip6 protocol ipv6-icmp icmpv6-type 139 drop
+        ip6 nexthdr ipv6-icmp limit rate 5/second accept
+
+        # Allow some ports
+        tcp dport ssh accept comment "ssh"
+        tcp dport domain accept comment "dns (tcp)"
+        udp dport domain accept comment "dns (udp)"
+        tcp dport http accept comment "http"
+        tcp dport https accept comment "https"
+        tcp dport 22000 accept comment "syncthing"
+        udp dport 21027 accept comment "syncthing"
+        tcp dport 5201 accept comment "iperf3 (tcp)"
+        udp dport 5201 accept comment "iperf3 (udp)"
+    }
+
+    chain forward {
+        # By default, drop all traffic unless it meets a filter
+        type filter hook forward priority 0;
+        policy drop;
+
+        # Allow traffic from established and related packets.
+        ct state established,related accept
+
+        # Drop invalid packets.
+        ct state invalid drop
+
+        # local clients can do whatever
+        iifname brlan accept
+
+        # Allow all ICMP and IGMP traffic, but enforce a rate limit
+        # to help prevent some types of flood attacks.
+        ip protocol icmp limit rate 5/second accept
+        ip6 nexthdr ipv6-icmp limit rate 5/second accept
+        ip protocol igmp limit rate 5/second accept
+
+        #make public ips world accessible 
+        ip daddr 195.39.246.32/28 accept
+    }
+
+    chain outbound {
+        # Allow all outbound traffic
+        type filter hook output priority 0
+        policy accept
+    }
+
+}
+
+table ip nat {
+    chain prerouting {
+        type nat hook prerouting priority -100
+        policy accept
+    }
+
+    chain postrouting {
+        type nat hook postrouting priority 0
+        policy accept
+        oifname enp2s0 masquerade
+    }
+}
+include "/etc/nftables.d/*.nft"
diff --git a/configuration/maikaefer.yml b/configuration/maikaefer.yml
@@ -0,0 +1,306 @@
+system:
+  hostname: maikaefer
+  domain: ctu.cx
+  timezone: Europe/Berlin
+  enableOwnRepos: false
+  enableSudo: true
+  useNTP: true
+  extraPackages:
+    - iftop
+    - iotop
+    - htop
+    - rsync
+    - mtr
+    - traceroute
+    - dnsutils
+    - tar
+    - unzip
+    - wget
+    - curl
+  users:
+    - name: root
+      allowedSshKeys:
+        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829
+        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:000606445161
+    - name: leah
+      groups: "wheel"
+      shell: /usr/bin/bash
+      password: "{{ lookup('diskcache', 'passwordstore', 'Server/leah.password')}}"
+      allowedSshKeys:
+        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829
+        - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb2eZ2ymt+Zsf0eTlmjW2jPdS013lbde1+EGkgu6bz9lVTR8aawshF2HcoaWp5a5dJr3SKyihDM8hbWSYB3qyTHihNGyCArqSvAtZRw301ailRVHGqiwUITTfcg1533TtmWvlJZgOIFM1VvSAfdueDRRRzbygmn749fS9nhUTDzLtjqX5LvhpqhzsD+eOqPrV6Ne8E1e42JxQb5AJPY1gj9mk6eAarvtEHQYEe+/hp9ERjtCdN5DfuOJnqfaKS0ytPj/NbQskbX/TMgeUVio11iC2NbXsnAtzMmtbLX4mxlDQrR6aZmU/rHQ4aeJqI/Tj2rrF46icri7s0tnnit1OjT5PSxXgifcOtn06qoxYZMT1x+Dyrt40vNkGmxmxCnirm8B+6MKXgd/Ys+7tnOm1ht8TmLm96x6KdOiF3Zq/tMxhPAzp8JriTKSo7k7U9XxStFghTbhhBNc7OX89ZbpalLEnvbQiz87gZxhcx8cLvzIjslOHmZOSWC5Pgr4wwuj3Akq63i4ya6/BzM6v4UoBuDAB6fz3NHKL4R5X20la7Pvt7OBysQkGClWfj6ipMR1bFE2mfYtlMioXNgTjC+NCpEl1+81MH7dv2565Hk8CLV8FMxv6GujbAZGjjcM47lpWM1cBQvpBMUA/lLkyiCPK0YxNWAB7Co+jYDl6CR0Ubew== cardno:000606445161
+        - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGrvhqC/tZzpLMs/qy+1xNSVi2mfn8LXPIEhh7dcGn9e isa@Isabelles-MacBook-Pro.local
+
+network:
+  ipForwarding: true
+  nftables:
+    enable: true
+    configFile: config-files/nftables/maikaefer.nft
+
+networkd:
+  networkd_resolv_conf_content:
+    - nameserver 1.1.1.1
+    - nameserver 8.8.8.8
+  networkd_apply_action: "restart"
+  netdev:
+    - name: enp2s0.5
+      priority: 20
+      content:
+        - NetDev:
+          - Name: enp2s0.5
+          - Kind: vlan
+        - VLAN:
+          - Id: 5
+    - name: wg-pbb
+      priority: 30
+      content:
+        - NetDev:
+          - Name: wg-pbb
+          - Kind: wireguard
+        - WireGuard:
+          - PrivateKey: "{{ lookup('diskcache', 'passwordstore', 'Server/maikaefer/wireguard.privkey returnall=true') }}"
+          - FirewallMark: 51820
+        - WireGuardPeer:
+          - PublicKey: "{{ lookup('diskcache', 'passwordstore', 'Server/desastro/wireguard.pubkey returnall=true') }}"
+          - AllowedIPs:  "0.0.0.0/0, ::/0"
+          - Endpoint: "195.39.247.172:51820"
+          - PersistentKeepalive: 10
+    - name: brlan
+      priority: 40 
+      content:
+        - NetDev:
+          - Name: brlan
+          - Kind: bridge
+  network:
+    - name: enp2s0
+      priority: 20
+      content:
+        - Match:
+          - Name: enp2s0
+        - Network:
+#          - DHCP: yes
+          - VLAN: enp2s0.5
+          - Brige: brlan
+    - name: enp2s0.5
+      priority: 20
+      content:
+        - Match:
+          - Name: enp2s0.5
+        - Network:
+          - DHCP: yes
+#          - Bridge: brlan
+    - name: wg-pbb
+      priority: 30
+      content:
+        - Match:
+          - Name: wg-pbb
+        - Link:
+          - MTUBytes: 1472
+        - Route:
+          - Destination: 0.0.0.0/0
+          - Table: 1234
+        - Route:
+          - Destination: ::/0
+          - Table: 1234
+    - name: brlan
+      priority: 40
+      content:
+        - Match:
+          - Name: brlan
+          - Driver: bridge
+        - Network:
+          - DHCP: no
+          - Address: 195.39.246.33/28
+          - Address: 10.0.0.1/24
+          - Address: 2a0f:4ac0:acab::1/62
+        - RoutingPolicyRule:
+          - From: 195.39.246.32/28
+          - Table: 254
+          - Priority: 1900
+          - SuppressPrefixLength: 0
+        - RoutingPolicyRule:
+          - From: 2a0f:4ac0:acab::/62
+          - Table: 254
+          - Priority: 1900
+          - SuppressPrefixLength: 0
+        - RoutingPolicyRule:
+          - From: 195.39.246.32/28
+          - Table: 1234
+          - Priority: 2000
+        - RoutingPolicyRule:
+          - From: 2a0f:4ac0:acab::/62
+          - Table: 1234
+          - Priority: 2000
+    - name: usb-tetherring
+      priority: 91
+      content:
+        - Match:
+          - Name: enp*s*u*
+        - Network:
+          - DHCP: yes
+
+files:
+  /var/lib/websites:
+    state:   "directory"
+    mode:    "0755"
+    owner:   "leah"
+    group:   "http"
+  /var/lib/websites/dnsmasq.home.ctu.cx:
+    state:   "directory"
+    mode:    "0755"
+    owner:   "leah"
+    group:   "http"
+
+services:
+  openssh:
+    enable: true
+    port: 22
+    permitRootLogin: true
+    passwordAuthentication: false
+
+  prometheus_node_exporter:
+    enable: true
+
+  vnstat:
+    enable: true
+
+  acme_redirect:
+    enable: true
+    email: lets-encrypt@ctu.cx
+    renew_if_days_left: 30
+    certs:
+      maikaefer.ctu.cx:
+        renewTasks:
+          - systemctl restart nginx
+      home.ctu.cx:
+        extraDnsNames: 
+          - legacy.home.ctu.cx
+        renewTasks:
+          - systemctl restart nginx
+      dnsmasq.home.ctu.cx:
+        renewTasks:
+          - systemctl restart nginx
+
+  php_fpm:
+    enable: true
+    version: 8
+    extraModules:
+      - gd
+      - intl
+    listeners:
+      www:
+        user: leah
+        group: leah
+        listenerPath: /run/php-fpm/php-fpm.sock
+        listenerOwner: http
+        listenerGroup: http
+
+  nginx:
+    enable: true
+    sslOnly: true
+    vhosts:
+      maikaefer.ctu.cx:
+        defaultserver: true
+        ssl:
+          enable: true
+          cert: "/var/lib/acme-redirect/live/maikaefer.ctu.cx/fullchain"
+          privkey: "/var/lib/acme-redirect/live/maikaefer.ctu.cx/privkey"
+        locations:
+          - path: /node-exporter
+            proxy: http://127.0.0.1:9100/metrics
+      dnsmasq.home.ctu.cx:
+        root: /var/lib/websites/dnsmasq.home.ctu.cx
+        extraConfig: "
+          try_files $uri $uri/ /index.php?$query_string;
+        "
+        enablePhpSupport: true
+        phpSocket: /run/php-fpm/php-fpm.sock
+        ssl:
+          enable: true
+          cert: "/var/lib/acme-redirect/live/dnsmasq.home.ctu.cx/fullchain"
+          privkey: "/var/lib/acme-redirect/live/dnsmasq.home.ctu.cx/privkey"
+
+  dnsmasq:
+    enable: true
+    local_service: true
+    no_resolv: true
+    no_hosts: true
+    domain_needed: true
+    bogus_priv: true
+    expand_hosts: false
+    read_ethers: false
+    enable_ra: true
+    quiet_ra: true
+    domain: home.ctu.cx
+    auth_ttl: 600
+    auth_server: home.ctu.cx, wg-pbb
+    auth_zones:
+      - home.ctu.cx,                        10.0.0.1/24,   195.39.246.32/28,   2a0f:4ac0:acab::1/64
+    local_addresses:
+      - /fritz.box/192.168.178.1
+      - /lollo/10.0.0.1
+      - /isa-nuc/195.39.246.41
+    addresses:
+      - home.ctu.cx,                        195.39.246.33,   2a0f:4ac0:acab::1
+      - legacy.home.ctu.cx,                 195.39.246.33,   2a0f:4ac0:acab::1
+      - dnsmasq.home.ctu.cx,                195.39.246.33,   2a0f:4ac0:acab::1
+      - music.home.ctu.cx,                  195.39.246.42,   2a0f:4ac0:acab::1
+      - influx.home.ctu.cx,                 195.39.246.42,   2a0f:4ac0:acab::1
+      - isa-nuc.home.ctu.cx,                195.39.246.41,   2a0f:4ac0:acab::41
+    dns_servers:
+      - 1.1.1.1
+      - 1.0.0.1
+      - 8.8.8.8
+      - 8.8.4.4
+    dhcp:
+      authoritative: true
+      rapid_commit:  true
+      sequential_ip: true
+      options:
+        - option6:information-refresh-time, 6h
+        - option6:dns-server,               [2a0f:4ac0:acab::1]
+        - private, option:router,           10.0.0.1
+        - private, option:dns-server,       10.0.0.1
+        - public,  option:router,           195.39.246.33
+        - public,  option:dns-server,       195.39.246.33
+      ranges:
+        - private, 10.0.0.100,          10.0.0.200,                           255.255.255.0,                  48h
+        - public,  195.39.246.34,       static,                               255.255.255.240, 195.39.246.47, 48h
+        -          2a0f:4ac0:acab::100, 2a0f:4ac0:acab::01ff, ra-names,slaac, 64,                             48h
+      hosts:
+        # accesspoint
+        - f4:06:8d:df:1f:e3,                                          accesspoint,      10.0.0.2
+        # ctucx macbook
+        - id:00:01:00:01:27:51:55:30:80:e6:50:21:e0:6a,               toaster,          [2a0f:4ac0:acab::34]
+        - 80:e6:50:21:e0:6a,                                          toaster,          195.39.246.34
+        # ctucx thinkcentre
+        - id:e8:6a:64:f4:49:e7,                                       stasicontainer,   [2a0f:4ac0:acab::39]
+        - e8:6a:64:f4:49:e7,                                          stasicontainer,   195.39.246.39
+        # ctucx thinkpad x390 (mac: wlan, eth)
+        - id:04:ea:56:3c:bc:ac,                                       coladose,         [2a0f:4ac0:acab::35]
+        - 04:ea:56:3c:bc:ac, e8:6a:64:d6:e3:33,                       coladose,         195.39.246.35
+        # isa macbook
+        - id:00:01:00:01:23:53:5d:7e:6c:40:08:af:2e:9c,               isabelles-mbp,    [2a0f:4ac0:acab::38]
+        - 6c:40:08:af:2e:9c,                                          isabelles-mbp,    195.39.246.38
+        # isa thinkpad x390
+        - id:04:ea:56:f2:b4:6c,                                       isa-x390,         [2a0f:4ac0:acab::36]
+        - 04:ea:56:f2:b4:6c,                                          isa-x390,         195.39.246.36
+        # isa p2max
+        - id:ac:67:5d:12:2f:5a,                                       isa-p2max,        [2a0f:4ac0:acab::40]
+        - ac:67:5d:12:2f:5a,                                          isa-p2max,        195.39.246.40
+        # isa nuc
+        - id:1c:69:7a:61:61:bf,                                       isa-nuc,          [2a0f:4ac0:acab::41]
+        - 1c:69:7a:61:61:bf,                                          isa-nuc,          195.39.246.41
+
+  frpc:
+    enable: true
+    serverAddress: osterei.ctu.cx
+    serverPort: 5050
+    token: "{{ lookup('diskcache', 'passwordstore', 'Server/osterei/frps/token returnall=true')}}"
+    dashboard: false
+    tunnels:
+      - name: maikaefer-ssh
+        type: tcp
+        local_ip: 127.0.0.1
+        local_port: 22
+        remote_port: 2203
diff --git a/playbook.yml b/playbook.yml
@@ -154,6 +154,33 @@
     - role: rest-server
       tags: [ backup, rest-server, restic ]
 
+- hosts: maikaefer
+  name:  Install maikaefer
+  vars_files: configuration/maikaefer.yml
+  roles: 
+    - role: common
+      tags: common
+    - role: openssh
+      tags: [ openssh, common ]
+    - role: files
+      tags: files
+    - role: systemd-timers
+      tags: timers
+    - role: systemd-networkd
+      tags: systemd-networkd
+    - role: vnstat
+      tags: vnstat
+    - role: php-fpm  
+      tags: php-fpm
+#    - role: nginx
+#      tags: nginx
+    - role: dnsmasq
+      tags: dnsmasq
+#    - role: frpc
+#      tags:
+#        - frp
+#        - frpc
+
 - hosts: stasicontainer
   name:  Install stasicontainer
   vars_files: configuration/stasicontainer.yml