Merge branch 'release/0.8.0'

davidderus · Dec 17, 2017 · 767af7d · 767af7d
2 parents 8835163 + 2c33cb0
commit 767af7d
Show file tree

Hide file tree

Showing 8 changed files with 122 additions and 15 deletions.
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-# ansible-rpi 0.7.0
+# ansible-rpi 0.8.0
 
 ## Purpose
 
@@ -21,18 +21,21 @@ Tested on a Rpi 3 B+ and a Rpi 1 B.
 - Custom sudo user for rpi (*thus disabling pi as Rpi sudoer*)
 - `oh-my-zsh` install and vim as default editor
 - Dynamic network folder and local drive setup (*Works with SAMBA and include basic credentials management*)
-- Optionnal hostname update and Zeroconf
-- Optionnal custom SSH banner
-- Optionnal Wifi config
-- Optionnal Mosh support
-- Optionnal unsudo of the pi user
+- Fail2Ban configuration to send mail via SSMTP, handle a custom SSH port and
+  some user-defined services
+- Optional hostname update and Zeroconf
+- Optional custom SSH banner
+- Optional Wifi config
+- Optional Mosh support
+- Optional unsudo of the pi user
+- Optionally add a list of user to the sudoers with NOPASSWD
 
 ### `download_server` role
 
 > Turn the Rpi in a download server for ddl and torrents
 
 - Aria2 daemon
-- RPC interface for remote monitoring with optionnal SSL encryption
+- RPC interface for remote monitoring with optional SSL encryption
 - Shared downloads directory (*may be replaced by a previously configured network folder*)
 
 ### `media_center` role
@@ -42,8 +45,8 @@ Tested on a Rpi 3 B+ and a Rpi 1 B.
 - Kodi basic installation with separate user
 - Dynamic sources creation (*may be linked to previously configured network folders*)
 - Buffer handling optimized for a Raspberry
-- Optionnal `kodi` user with `kodi-standalone` and a minimal Openbox setup
-- Optionnal [Tvheadend](https://tvheadend.org/) install with basic config
+- Optional `kodi` user with `kodi-standalone` and a minimal Openbox setup
+- Optional [Tvheadend](https://tvheadend.org/) install with basic config
 
 ### `rpi_docker` role
 
@@ -99,7 +102,7 @@ required to enable it.**).
 
 Then the first time run:
 
-```
+```shell
 ansible-playbook playbook.yml -u pi --ask-pass
 ```
 
@@ -110,13 +113,13 @@ vault.**
 
 First run:
 
-```
+```shell
 ansible-playbook playbook.yml -i hosts.dev
 ```
 
 Next runs:
 
-```
+```shell
 # Editing the hosts file may be required to update the SSH port
 # A vagrant reload may also be needed
 # Checks access with
@@ -139,7 +142,7 @@ This may cause axtra slowness on user authentification (*ie. sudo password promp
 
 Please use the following command to generate a user password hash [2]:
 
-```bash
+```shell
 python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt(getpass.getpass(), rounds=5000)"
 ```
 

diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml
@@ -35,3 +35,8 @@ ssmtp_auth_user: "{{ ssmtp_email }}"
 
 server_allow_upgrade: true
 server_allow_reboot: true
+
+server_fail2ban_jail_file: /etc/fail2ban/jail.conf
+server_fail2ban_jail_local_file: /etc/fail2ban/jail.local
+server_fail2ban_services: []
+server_fail2ban_email: '{{ ssmtp_email }}'
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
@@ -5,3 +5,8 @@
 
 - name: Reload firewall
   ufw: state=reloaded
+
+- name: Restart fail2ban
+  service:
+    name: fail2ban
+    state: restarted
diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml
@@ -0,0 +1,34 @@
+---
+
+- name: Update ssh port in config
+  replace:
+    path: '{{ server_fail2ban_jail_file }}'
+    regexp: '^port\s+=\s+ssh$'
+    replace: 'port = {{ ssh_port }}'
+  notify: Restart fail2ban
+  when: ssh_port is defined and ssh_port != 22
+
+- name: Update email in config
+  lineinfile:
+    path: '{{ server_fail2ban_jail_file }}'
+    regexp: '^destemail\s+='
+    line: 'destemail = {{ server_fail2ban_email }}'
+    state: present
+  notify: Restart fail2ban
+
+- name: Send more than an ip on jailed
+  lineinfile:
+    path: '{{ server_fail2ban_jail_file }}'
+    regexp: '^action\s+=\s+\%\(action_\w+\)s'
+    line: 'action = %(action_mwl)s'
+    state: present
+  notify: Restart fail2ban
+
+- name: Generate jail.local file
+  template:
+    src: fail2ban/jail.local.j2
+    dest: '{{ server_fail2ban_jail_local_file }}'
+    owner: root
+    group: root
+    mode: 0644
+  notify: Restart fail2ban
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
@@ -4,12 +4,17 @@
 
 - include: base.yml
 - include: ssh.yml
-- include: firewall.yml
 
 - include: hostname.yml
   when: with_custom_hostname
 
 - include: ssmtp.yml
+
+- include: fail2ban.yml
+  tags: fail2ban
+
+- include: firewall.yml
+
 - include: logwatch.yml
 
 # Optionnals
@@ -30,5 +35,11 @@
 # Super optionnal (may break current process if you're using the user)
 
 - include: user_unsudo.yml server_unsudo_user={{ item }}
-  with_items: "{{ server_unsudoed_users|default([]) }}"
+  with_items: "{{ server_unsudoed_users }}"
   when: server_unsudoed_users is defined
+
+- include: sudoers_nopasswd.yml
+  with_items: "{{ server_sudo_nopasswd_users }}"
+  loop_control:
+    loop_var: nopasswd_user
+  when: server_sudo_nopasswd_users is defined
diff --git a/roles/common/tasks/sudoers_nopasswd.yml b/roles/common/tasks/sudoers_nopasswd.yml
@@ -0,0 +1,9 @@
+---
+
+- name: "Add {{ nopasswd_user }} to sudoers with the NOPASSWD option"
+  lineinfile:
+    path: /etc/sudoers
+    state: present
+    regexp: "^%{{ nopasswd_user }} ALL="
+    line: "%{{ nopasswd_user }} ALL=(ALL) NOPASSWD: ALL"
+    validate: '/usr/sbin/visudo -cf %s'
diff --git a/roles/common/templates/fail2ban/jail.local.j2 b/roles/common/templates/fail2ban/jail.local.j2
@@ -0,0 +1,23 @@
+# {{ ansible_managed }}
+
+{% for service in server_fail2ban_services %}
+[{{ service.name }}]
+
+enabled = {{ '"%s"' | format(service.enabled | lower) }}
+port = {{ service.port }}
+filter = {{ service.filter }}
+logpath = {{ service.logpath }}
+{% if service.maxretry is defined %}
+maxretry = {{ service.maxretry }}
+{% endif %}
+{% if service.protocol is defined %}
+protocol = {{ service.protocol }}
+{% endif %}
+{% if service.action is defined %}
+action = %({{ service.action }})s
+{% endif %}
+{% if service.banaction is defined %}
+banaction = {{ service.banaction }}
+{% endif %}
+
+{% endfor %}
diff --git a/variables.yml.inc b/variables.yml.inc
@@ -98,6 +98,23 @@ with_vim: True
 # server_unsudoed_users:
 #   - pi
 
+# You can enable sudo access without password for specific users.
+# This is not the default behavior.
+# server_sudo_nopasswd_users:
+#   - neo
+
+# Fail2Ban
+
+server_fail2ban_services:
+  - name: apache-auth-custom
+    enabled: true
+    port: http,https
+    filter: apache-auth
+    logpath: '/custom/apache/log/file.log'
+    maxretry: 3
+
+server_fail2ban_email: admin+fail2ban@gmail.com
+
 ########################
 # Download server Role #
 ########################