Ansible playbooks
Install dependencies
pip3 install -r requirements.txtCreate your inventory.yml according to site.yml , for example
nym-servers:
hosts:
somehost.lanand
ansible-playbook -i inventory.yml site.yml- Debian based servers
- rely on UFW
| PID | name | Description |
|---|---|---|
| 1001 | metrics | account used for every prometheus exporters |
| 1002 | grafana | |
| 1003 | prometheus | |
| 1004 | nym | runs all Nym service |
| 1005 | gh-runner | Github runner service account |
| 1006 | alertmanager | Prometheus altermanager |
<Role name>:
hosts:
<host name>:
knock_ports: opt. list[int] # port sequence to set port knocking
ssh_keys: opt. list[str] # additional ssh keys to be happened to sudoer's authorized_keysall technical users running the various services are limited to a restricted shell (a.k.a.
/bin/rbash) exept for gh-runner
dmz-servers:
hosts:
cook:
gh_runner_url: https://github.com/<some_user_or_organisation>/<some_repo>
gh_runner_token: <token>
gh_runner_labels: AMR64,Linux,self-hosted- 5380
- 53
Simply add
technitium-servers:
hosts:
magellan:
admin_password: <your admin password>to your inventory
Use an existing key pair or generate one following the documentation. You can add peers directly in the inventory.
wireguard-servers:
hosts:
magellan:
PublicKey: <key>
PrivateKey: <key>
WG_PORT: 4119
peers:
- name: some_client
PublicKey: <key>
AllowedIPs: 10.10.10.2/32This set up forwards packets from eth0 wg0 both ways and relies on MASQUERADE. See roles/wireguard/templates/add-nat-routing.sh.j2 and roles/wireguard/templates/remote-nat-routing.sh.j2 for details.
- 3000
These services can only live on the same node
prometheus-servers:
hosts:
some.host.com:
alert_webhook_url: https://discordapp.com/ # Discord webhook
grafana_admin: <some_password> # admin password
dashboards: # dashboard to be installed
- https://grafana.com/api/dashboards/1860/revisions/37/downloadSee this doc for details
This playbook allow the user to secure any host's sshd service using knockd. To set a series of ports, simply add a knock_ports for this host in the inventory.yml
nym-servers:
hosts:
some.host.com:
knock_ports:
- 1
- 2
- 3 When set, ssh service is no longer visible
@ nmap some.host.com -Pn
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-09 15:24 CEST
Nmap scan report for some.host.com (192.168.1.59)
Host is up (0.00032s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE
8080/tcp open http-proxy
...Except after providing the right sequence
@ knock some.host.com 1 2 3
@ nmap some.host.com -Pn
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-09 15:24 CEST
Nmap scan report for some.host.com (192.168.1.59)
Host is up (0.00032s latency).
Not shown: 997 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
8080/tcp open http-proxy
...This playbook handles knocking using roles/common/knocking.yml. This involves to had it as pre_tasks and to disable gather_facts, for it is performed at module initialization
gather_facts: false
pre_tasks:
- name: Import pre_tasks
ansible.builtin.import_tasks: 'roles/common/knocking.yml'