commit fa669646f963192cd77e15cb8705ff085c45c0a3
parent 62305c354bd523cab49ed24f78744b46307ddf40
Author: Leah Thein <leah@toaster.home.ctu.cx>
Date: Tue, 8 Dec 2020 00:29:02 +0100
parent 62305c354bd523cab49ed24f78744b46307ddf40
Author: Leah Thein <leah@toaster.home.ctu.cx>
Date: Tue, 8 Dec 2020 00:29:02 +0100
arch: add playbook, inventory, configs
4 files changed, 307 insertions(+), 0 deletions(-)
A
|
105
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
A
|
183
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
diff --git a/arch/config-files/common/pacman.conf.patch b/arch/config-files/common/pacman.conf.patch @@ -0,0 +1,12 @@ +--- /etc/pacman.conf 2020-07-01 03:52:38.000000000 +0200 ++++ pacman.conf 2020-12-07 14:18:19.773580876 +0100 +@@ -83,6 +83,10 @@ + [community] + Include = /etc/pacman.d/mirrorlist + ++[aurto] ++Server = https://repo.f2k1.de ++SigLevel = Optional TrustAll ++ + # If you want to run 32 bit applications on your x86_64 system, + # enable the multilib repositories as required here.+ \ No newline at end of file
diff --git a/arch/config-files/ferm/ferm-lollo.conf b/arch/config-files/ferm/ferm-lollo.conf @@ -0,0 +1,104 @@ +# -*- shell-script -*- +# +# Ferm example script +# +# Firewall configuration for a router with a dynamic IP. +# +# Author: Max Kellermann <max@duempel.org> +# + +@def $DEV_LAN = brlan; +@def $DEV_WAN = enp2s0; + +@def $NET_LAN = 10.0.0.0/24; + +# globally accessible services +@def $WAN_TCP = ( 22 ); +@def $WAN_UDP = ( 1194 ); +# ( ssh ) +# ( wireguard ) + +# locally accessible services +@def $LAN_TCP = ( 53 22 ); +@def $LAN_UDP = ( 53 67 69 123 ); +# ( dns ssh ) +# ( dns dhcp tftp ntp ) + +# generic input and forwarding rules for ipv4 and ipv6 +domain (ip ip6) { + table filter { + chain INPUT { + policy DROP; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # allow local connections + interface lo ACCEPT; + interface $DEV_LAN ACCEPT; + interface wg-pbb ACCEPT; + + # respond to ping + proto icmp ACCEPT; + + # local services + interface ! $DEV_WAN { + proto tcp dport $LAN_TCP ACCEPT; + proto udp mod multiport destination-ports $LAN_UDP ACCEPT; + } + + proto tcp dport $WAN_TCP ACCEPT; + proto udp dport $WAN_UDP ACCEPT; + } + + # outgoing connections are not limited + chain OUTPUT policy ACCEPT; + + chain FORWARD { + policy DROP; + + # connection tracking + mod state state INVALID DROP; + mod state state (ESTABLISHED RELATED) ACCEPT; + + # local clients can do whatever + interface $DEV_LAN ACCEPT; + + + proto icmp ACCEPT; + + mod conntrack ctstate DNAT ACCEPT; + + # the rest is dropped by the above policy + } + } +} + +# nat only for ipv4 +domain ip { + table nat { + chain PREROUTING { + policy ACCEPT; + + # port forwards, ala daddr $WAN_IP dport 65522 DNAT to 192.168.0.2:22; + } + + chain POSTROUTING { + policy ACCEPT; + + outerface $DEV_WAN MASQUERADE; + saddr $NET_LAN mod conntrack ctstate DNAT MASQUERADE; # needle point loopback + } + } +} + +domain ip6 { + table filter { + chain INPUT { + proto ipv6-icmp icmpv6-type redirect DROP; + proto ipv6-icmp icmpv6-type 139 DROP; + proto ipv6-icmp ACCEPT; + } + } +}+ \ No newline at end of file
diff --git a/arch/inventory b/arch/inventory @@ -0,0 +1,5 @@ +[all:vars] +ansible_ssh_user=root + +[lollo] +192.168.178.116+ \ No newline at end of file
diff --git a/arch/playbook.yml b/arch/playbook.yml @@ -0,0 +1,182 @@ +--- +- hosts: all + remote_user: root + gather_facts: false + tasks: + - name: Install Python + raw: test -e /usr/bin/python || pacman -Sy --noconfirm python + +- hosts: lollo + name: Install lollo + roles: + - common + - kawaidesu.ansible_networkd + - hostapd + - dnsmasq +# - syncthing +# - frp + vars: + users: + - name: leah + groups: "wheel" + password: "$6$foobar123$1qcCmnoveirSdWY9XdgH5hCXv32hj0n/AyJX46sSp1LyGCA8QT/xxifebRxr89uIH6vwhzFGgz4.H2sG0en0f0" + sshKey: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCw/G6x8H3ojvHx3NsTswBMMmOhp48F3rea0GUniKSvRLMRIti5b7Q4P4FXnkQEtuNSR3u7gE5r4EacaLaIx7Az9SgHRoE+hdzSo4mPAwKTx/E3HZgIjdZhTDL8PAn4SZZT6RBqr/uGb+x9fdIjY0FbdNBLjq0MNnG3T+qd1joUL8JXoS7F//ac52RhHlsA5qJXFDOhpqR/7hRMwOFNH0GKaLN1xQKcOjhpIcdswpOf8kRDVpT7xOYwfXCFF4MaY2M8047WKarvEnGdADIIw6bvWsdJINehtOQmYEFRaMuaWp1d9bglZXZKPQKNubv5lqneMP4AI7ImDYjgW6eNLIT1 cardno:000603502829" + + network: + hostname: lollo + domain: ctu.cx + ip_forwarding: true + useFerm: true + + networkd: + networkd_resolv_conf_content: + - nameserver 1.1.1.1 + - nameserver 8.8.8.8 + networkd_apply_action: "restart" + netdev: + - name: enp2s0.5 + priority: 20 + content: + - NetDev: + - Name: enp2s0.5 + - Kind: vlan + - VLAN: + - Id: 5 + - name: wg-pbb + priority: 30 + content: + - NetDev: + - Name: wg-pbb + - Kind: wireguard + - WireGuard: + - PrivateKey: "{{ lookup('community.general.passwordstore', 'server/lollo/wireguard.privkey returnall=true') }}" + - FirewallMark: 51820 + - WireGuardPeer: + - PublicKey: "{{ lookup('community.general.passwordstore', 'server/desastro/wireguard.pubkey returnall=true') }}" + - AllowedIPs: "0.0.0.0/0, ::/0" + - Endpoint: "desastro.ctu.cx:51820" + - PersistentKeepalive: 25 + - name: brlan + priority: 40 + content: + - NetDev: + - Name: brlan + - Kind: bridge + network: + - name: enp2s0 + priority: 20 + content: + - Match: + - Name: enp2s0 + - Network: + - DHCP: yes + - VLAN: enp2s0.5 + - name: enp2s0.5 + priority: 20 + content: + - Match: + - Name: enp2s0.5 + - Network: + - Bridge: brlan + - name: wg-pbb + priority: 30 + content: + - Match: + - Name: wg-pbb + - Network: + - Address: 195.39.246.32/32 + - Address: 2a0f:4ac0:acab::1/128 + - RoutingPolicyRule: + - FirewallMark: 51820 + - Family: both + - Priority: 1000 + - RoutingPolicyRule: + - FirewallMark: 51820 + - Table: 2342 + - Family: both + - Priority: 1500 + - Route: + - Destination: 0.0.0.0/0 + - Table: 1234 + - Route: + - Destination: ::/0 + - Table: 1234 + - Route: + - Destination: 0.0.0.0/0 + - Table: 2342 + - Type: unreachable + - Route: + - Destination: ::/0 + - Table: 2342 + - Type: unreachable + - name: brlan + priority: 40 + content: + - Match: + - Name: brlan + - Driver: bridge + - Network: + - DHCP: no + - Address: 195.39.246.32/28 + - Address: 10.0.0.1/24 + - Address: 2a0f:4ac0:acab::1/48 + - RoutingPolicyRule: + - From: 195.39.246.32/28 + - Table: 1234 + - Priority: 2000 + - RoutingPolicyRule: + - From: 2a0f:4ac0:acab::/48 + - Table: 1234 + - Priority: 2000 + + hostapd: + interface: wlp3s0 + bridge: brlan + channel: 1 + ssid: legacy.home.ctu.cx + passphrase: "{{ lookup('community.general.passwordstore', 'WiFi/legacy.home.ctu.cx returnall=true')}}" + + dnsmasq: + wan_interface: enp2s0 + local_service: true + no_resolv: true + domain_needed: true + bogus_priv: true + expand_hosts: true + read_ethers: true + enable_ra: true + quiet_ra: true + domain: home.ctu.cx + dns_servers: + - 1.1.1.1 + - 1.0.0.1 + - 8.8.8.8 + - 8.8.4.4 + dhcp: + authoritative: true + rapid_commit: true + sequential_ip: true + options: + - option6:information-refresh-time,6h + - option:dns-server,10.0.0.1 + - option:router,10.0.0.1 + ranges: + - 195.39.246.33, 195.39.246.42, 255.255.255.240, 48h + - 10.0.0.40, 10.0.0.253, 255.255.255.0, 48h + - 2a0f:4ac0:acab::, ra-names, 48h + + syncthing: + disableReverseProxy: true + guiAddress: 0.0.0.0:8384 + + frpc: + serverAddress: wanderduene.ctu.cx + serverPort: 5050 + token: "{{ lookup('community.general.passwordstore', 'server/wanderduene/frps/token returnall=true')}}" + dashboard: false + tunnels: + - name: lollo-ssh + type: tcp + local_ip: 127.0.0.1 + local_port: 22 + remote_port: 2202+ \ No newline at end of file