From 749ebf86746ef0dd5abecb9ec0f1d564ebe0d450 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20D=C3=A9rus?= Date: Sun, 1 Oct 2017 12:24:16 +0200 Subject: [PATCH 01/10] [+] Adding sudo_nopasswd_users support --- README.md | 1 + roles/common/tasks/main.yml | 8 +++++++- roles/common/tasks/sudoers_nopasswd.yml | 9 +++++++++ variables.yml.inc | 5 +++++ 4 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 roles/common/tasks/sudoers_nopasswd.yml diff --git a/README.md b/README.md index 518c977..0e7c252 100644 --- a/README.md +++ b/README.md @@ -26,6 +26,7 @@ Tested on a Rpi 3 B+ and a Rpi 1 B. - Optionnal Wifi config - Optionnal Mosh support - Optionnal unsudo of the pi user +- Optionnaly add a list of user to the sudoers with NOPASSWD ### `download_server` role diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 84cf889..bcb81ca 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -30,5 +30,11 @@ # Super optionnal (may break current process if you're using the user) - include: user_unsudo.yml server_unsudo_user={{ item }} - with_items: "{{ server_unsudoed_users|default([]) }}" + with_items: "{{ server_unsudoed_users }}" when: server_unsudoed_users is defined + +- include: sudoers_nopasswd.yml + with_items: "{{ server_sudo_nopasswd_users }}" + loop_control: + loop_var: nopasswd_user + when: server_sudo_nopasswd_users is defined diff --git a/roles/common/tasks/sudoers_nopasswd.yml b/roles/common/tasks/sudoers_nopasswd.yml new file mode 100644 index 0000000..afd85db --- /dev/null +++ b/roles/common/tasks/sudoers_nopasswd.yml @@ -0,0 +1,9 @@ +--- + +- name: "Add {{ nopasswd_user }} to sudoers with the NOPASSWD option" + lineinfile: + path: /etc/sudoers + state: present + regexp: "^%{{ nopasswd_user }} ALL=" + line: "%{{ nopasswd_user }} ALL=(ALL) NOPASSWD: ALL" + validate: '/usr/sbin/visudo -cf %s' diff --git a/variables.yml.inc b/variables.yml.inc index 43fc08b..c396f6b 100644 --- a/variables.yml.inc +++ b/variables.yml.inc @@ -98,6 +98,11 @@ with_vim: True # server_unsudoed_users: # - pi +# You can enable sudo access without password for specific users. +# This is not the default behavior. +# server_sudo_nopasswd_users: +# - neo + ######################## # Download server Role # ######################## From 2e640a477135f32b96c876468ce03364ebffd0f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20D=C3=A9rus?= Date: Sat, 2 Dec 2017 12:39:04 +0100 Subject: [PATCH 02/10] [-] Fixing some typos and linting in README Thanks @ax42 ! --- README.md | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index 0e7c252..82f04a3 100644 --- a/README.md +++ b/README.md @@ -21,19 +21,19 @@ Tested on a Rpi 3 B+ and a Rpi 1 B. - Custom sudo user for rpi (*thus disabling pi as Rpi sudoer*) - `oh-my-zsh` install and vim as default editor - Dynamic network folder and local drive setup (*Works with SAMBA and include basic credentials management*) -- Optionnal hostname update and Zeroconf -- Optionnal custom SSH banner -- Optionnal Wifi config -- Optionnal Mosh support -- Optionnal unsudo of the pi user -- Optionnaly add a list of user to the sudoers with NOPASSWD +- Optional hostname update and Zeroconf +- Optional custom SSH banner +- Optional Wifi config +- Optional Mosh support +- Optional unsudo of the pi user +- Optionaly add a list of user to the sudoers with NOPASSWD ### `download_server` role > Turn the Rpi in a download server for ddl and torrents - Aria2 daemon -- RPC interface for remote monitoring with optionnal SSL encryption +- RPC interface for remote monitoring with optional SSL encryption - Shared downloads directory (*may be replaced by a previously configured network folder*) ### `media_center` role @@ -43,8 +43,8 @@ Tested on a Rpi 3 B+ and a Rpi 1 B. - Kodi basic installation with separate user - Dynamic sources creation (*may be linked to previously configured network folders*) - Buffer handling optimized for a Raspberry -- Optionnal `kodi` user with `kodi-standalone` and a minimal Openbox setup -- Optionnal [Tvheadend](https://tvheadend.org/) install with basic config +- Optional `kodi` user with `kodi-standalone` and a minimal Openbox setup +- Optional [Tvheadend](https://tvheadend.org/) install with basic config ### `rpi_docker` role @@ -100,7 +100,7 @@ required to enable it.**). Then the first time run: -``` +```shell ansible-playbook playbook.yml -u pi --ask-pass ``` @@ -111,13 +111,13 @@ vault.** First run: -``` +```shell ansible-playbook playbook.yml -i hosts.dev ``` Next runs: -``` +```shell # Editing the hosts file may be required to update the SSH port # A vagrant reload may also be needed # Checks access with @@ -140,7 +140,7 @@ This may cause axtra slowness on user authentification (*ie. sudo password promp Please use the following command to generate a user password hash [2]: -```bash +```shell python -c "from passlib.hash import sha512_crypt; import getpass; print sha512_crypt.encrypt(getpass.getpass(), rounds=5000)" ``` From dd61987ad6dad1819223568595613dc703fc0194 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20D=C3=A9rus?= Date: Sat, 2 Dec 2017 12:40:23 +0100 Subject: [PATCH 03/10] [-] One more! --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 82f04a3..e2a236d 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ Tested on a Rpi 3 B+ and a Rpi 1 B. - Optional Wifi config - Optional Mosh support - Optional unsudo of the pi user -- Optionaly add a list of user to the sudoers with NOPASSWD +- Optionally add a list of user to the sudoers with NOPASSWD ### `download_server` role From 22d3354985acda06a3b34a5c5eeaf59dcaaaa8e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20D=C3=A9rus?= Date: Sun, 17 Dec 2017 16:06:22 +0100 Subject: [PATCH 04/10] [*] Adding fail2ban task for custom ssh port and ssmtp emailing --- roles/common/defaults/main.yml | 2 ++ roles/common/handlers/main.yml | 5 +++++ roles/common/tasks/fail2ban.yml | 25 +++++++++++++++++++++++++ roles/common/tasks/main.yml | 7 ++++++- 4 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 roles/common/tasks/fail2ban.yml diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 55c7ff1..98a69db 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -35,3 +35,5 @@ ssmtp_auth_user: "{{ ssmtp_email }}" server_allow_upgrade: true server_allow_reboot: true + +server_fail2ban_jail_file: /etc/fail2ban/jail.conf diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 69f6e1f..31a74c8 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -5,3 +5,8 @@ - name: Reload firewall ufw: state=reloaded + +- name: Restart fail2ban + service: + name: fail2ban + state: restarted diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml new file mode 100644 index 0000000..85d8f20 --- /dev/null +++ b/roles/common/tasks/fail2ban.yml @@ -0,0 +1,25 @@ +--- + +- name: Update ssh port in config + replace: + path: '{{ server_fail2ban_jail_file }}' + regexp: '^port\s+=\s+ssh$' + replace: 'port = {{ ssh_port }}' + notify: Restart fail2ban + when: ssh_port is defined and ssh_port != 22 + +- name: Update email in config + lineinfile: + path: '{{ server_fail2ban_jail_file }}' + regexp: '^destemail\s+=' + line: 'destemail = {{ ssmtp_email }}' + state: present + notify: Restart fail2ban + +- name: Send more than an ip on jailed + lineinfile: + path: '{{ server_fail2ban_jail_file }}' + regexp: '^action\s+=\s+\%\(action_\)s$' + line: 'action = %(action_mwl)s' + state: present + notify: Restart fail2ban diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index bcb81ca..ce39bd1 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -4,12 +4,17 @@ - include: base.yml - include: ssh.yml -- include: firewall.yml - include: hostname.yml when: with_custom_hostname - include: ssmtp.yml + +- include: fail2ban.yml + tags: fail2ban + +- include: firewall.yml + - include: logwatch.yml # Optionnals From a13b3330658012712c6dbf2b8fe2529abcbaf02b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20D=C3=A9rus?= Date: Sun, 17 Dec 2017 16:11:00 +0100 Subject: [PATCH 05/10] [*] Updating readme --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index e2a236d..37f1ef7 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,7 @@ Tested on a Rpi 3 B+ and a Rpi 1 B. - Custom sudo user for rpi (*thus disabling pi as Rpi sudoer*) - `oh-my-zsh` install and vim as default editor - Dynamic network folder and local drive setup (*Works with SAMBA and include basic credentials management*) +- Fail2Ban configuration to send mail via SSMTP and handle custom SSH port - Optional hostname update and Zeroconf - Optional custom SSH banner - Optional Wifi config From d3513d6df8cdfd8d491c9e8d3ff271eb6cb86671 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20D=C3=A9rus?= Date: Sun, 17 Dec 2017 19:36:07 +0100 Subject: [PATCH 06/10] [+] Generating jail.local for user custom rules --- roles/common/defaults/main.yml | 2 ++ roles/common/tasks/fail2ban.yml | 9 ++++++++ roles/common/templates/fail2ban/jail.local.j2 | 23 +++++++++++++++++++ 3 files changed, 34 insertions(+) create mode 100644 roles/common/templates/fail2ban/jail.local.j2 diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 98a69db..37a5c00 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -37,3 +37,5 @@ server_allow_upgrade: true server_allow_reboot: true server_fail2ban_jail_file: /etc/fail2ban/jail.conf +server_fail2ban_jail_local_file: /etc/fail2ban/jail.local +server_fail2ban_services: [] diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml index 85d8f20..aa2b69a 100644 --- a/roles/common/tasks/fail2ban.yml +++ b/roles/common/tasks/fail2ban.yml @@ -23,3 +23,12 @@ line: 'action = %(action_mwl)s' state: present notify: Restart fail2ban + +- name: Generate jail.local file + template: + src: fail2ban/jail.local.j2 + dest: '{{ server_fail2ban_jail_local_file }}' + owner: root + group: root + mode: 0644 + notify: Restart fail2ban diff --git a/roles/common/templates/fail2ban/jail.local.j2 b/roles/common/templates/fail2ban/jail.local.j2 new file mode 100644 index 0000000..f1ca1ba --- /dev/null +++ b/roles/common/templates/fail2ban/jail.local.j2 @@ -0,0 +1,23 @@ +# {{ ansible_managed }} + +{% for service in server_fail2ban_services %} +[{{ service.name }}] + +enabled = {{ '"%s"' | format(service.enabled | lower) }} +port = {{ service.port }} +filter = {{ service.filter }} +logpath = {{ service.logpath }} +{% if service.maxretry is defined %} +maxretry = {{ service.maxretry }} +{% endif %} +{% if service.protocol is defined %} +protocol = {{ service.protocol }} +{% endif %} +{% if service.action is defined %} +action = %({{ service.action }})s +{% endif %} +{% if service.banaction is defined %} +banaction = {{ service.banaction }} +{% endif %} + +{% endfor %} From 4d5a024e6ad31b707799e50e3970ac26af8d4b7f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20D=C3=A9rus?= Date: Sun, 17 Dec 2017 19:36:18 +0100 Subject: [PATCH 07/10] [-] Fixing action regexp --- roles/common/tasks/fail2ban.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml index aa2b69a..340bbb8 100644 --- a/roles/common/tasks/fail2ban.yml +++ b/roles/common/tasks/fail2ban.yml @@ -19,7 +19,7 @@ - name: Send more than an ip on jailed lineinfile: path: '{{ server_fail2ban_jail_file }}' - regexp: '^action\s+=\s+\%\(action_\)s$' + regexp: '^action\s+=\s+\%\(action_\w+\)s' line: 'action = %(action_mwl)s' state: present notify: Restart fail2ban From 41071a17136d5f02f8790b6533985f51b1ca329e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20D=C3=A9rus?= Date: Sun, 17 Dec 2017 19:39:14 +0100 Subject: [PATCH 08/10] [*] Easier email override for fail2ban --- roles/common/defaults/main.yml | 1 + roles/common/tasks/fail2ban.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/common/defaults/main.yml b/roles/common/defaults/main.yml index 37a5c00..d751411 100644 --- a/roles/common/defaults/main.yml +++ b/roles/common/defaults/main.yml @@ -39,3 +39,4 @@ server_allow_reboot: true server_fail2ban_jail_file: /etc/fail2ban/jail.conf server_fail2ban_jail_local_file: /etc/fail2ban/jail.local server_fail2ban_services: [] +server_fail2ban_email: '{{ ssmtp_email }}' diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml index 340bbb8..158b497 100644 --- a/roles/common/tasks/fail2ban.yml +++ b/roles/common/tasks/fail2ban.yml @@ -12,7 +12,7 @@ lineinfile: path: '{{ server_fail2ban_jail_file }}' regexp: '^destemail\s+=' - line: 'destemail = {{ ssmtp_email }}' + line: 'destemail = {{ server_fail2ban_email }}' state: present notify: Restart fail2ban From a0681866875226a98d50b93809f5e4ef33410824 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20D=C3=A9rus?= Date: Sun, 17 Dec 2017 19:41:46 +0100 Subject: [PATCH 09/10] [*] Updating readme and variables example --- README.md | 3 ++- variables.yml.inc | 12 ++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 37f1ef7..05e1c3f 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,8 @@ Tested on a Rpi 3 B+ and a Rpi 1 B. - Custom sudo user for rpi (*thus disabling pi as Rpi sudoer*) - `oh-my-zsh` install and vim as default editor - Dynamic network folder and local drive setup (*Works with SAMBA and include basic credentials management*) -- Fail2Ban configuration to send mail via SSMTP and handle custom SSH port +- Fail2Ban configuration to send mail via SSMTP, handle a custom SSH port and + some user-defined services - Optional hostname update and Zeroconf - Optional custom SSH banner - Optional Wifi config diff --git a/variables.yml.inc b/variables.yml.inc index c396f6b..5f262c4 100644 --- a/variables.yml.inc +++ b/variables.yml.inc @@ -103,6 +103,18 @@ with_vim: True # server_sudo_nopasswd_users: # - neo +# Fail2Ban + +server_fail2ban_services: + - name: apache-auth-custom + enabled: true + port: http,https + filter: apache-auth + logpath: '/custom/apache/log/file.log' + maxretry: 3 + +server_fail2ban_email: admin+fail2ban@gmail.com + ######################## # Download server Role # ######################## From 2c33cb0e3a9c792fe7955595664bc711f736f13e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20D=C3=A9rus?= Date: Sun, 17 Dec 2017 19:42:50 +0100 Subject: [PATCH 10/10] [*] Version bump --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 05e1c3f..a6a52d7 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,4 @@ -# ansible-rpi 0.7.0 +# ansible-rpi 0.8.0 ## Purpose