security role and SSH fixes #77

2025-06-07 07:33:52 +02:00 · 2016-08-26 00:35:07 +03:00 · 2016-08-26 00:35:07 +03:00 · 00e4bcc1ec
commit 00e4bcc1ec
parent 8c5f80bf8f
14 changed files with 64 additions and 12 deletions
--- a/digitalocean.yml
+++ b/digitalocean.yml
@ -70,6 +70,11 @@
    default: "y"
    private: no

+  - name: "security_enabled"
+    prompt: "Do you want to enable the security role? (y/n):\n"
+    default: "y"
+    private: no
+
  - name: "easyrsa_p12_export_password"
    prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
    default: "vpnpw"
@ -130,7 +135,7 @@

  roles:
    - common
-    - security
+    - { role: security, when: security_enabled is defined and security_enabled == "y" }
    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
    - { role: dns_adblocking, when: dns_enabled is defined and dns_enabled == "y" }
    - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
--- a/ec2.yml
+++ b/ec2.yml
@ -76,6 +76,11 @@
    default: "y"
    private: no

+  - name: "security_enabled"
+    prompt: "Do you want to enable the security role? (y/n):\n"
+    default: "y"
+    private: no
+
  - name: "easyrsa_p12_export_password"
    prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
    default: "vpnpw"
@ -99,7 +104,7 @@

  roles:
    - common
-    - security
+    - { role: security, when: security_enabled is defined and security_enabled == "y" }
    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
    - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
--- a/gce.yml
+++ b/gce.yml
@ -74,6 +74,11 @@
    default: "y"
    private: no

+  - name: "security_enabled"
+    prompt: "Do you want to enable the security role? (y/n):\n"
+    default: "y"
+    private: no
+
  - name: "easyrsa_p12_export_password"
    prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
    default: "vpnpw"
@ -97,7 +102,7 @@

  roles:
    - common
-    - security
+    - { role: security, when: security_enabled is defined and security_enabled == "y" }
    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
    - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
--- a/non-cloud.yml
+++ b/non-cloud.yml
@ -35,6 +35,11 @@
    default: "y"
    private: no

+  - name: "security_enabled"
+    prompt: "Do you want to enable the security role? (y/n):\n"
+    default: "y"
+    private: no
+
  - name: "easyrsa_p12_export_password"
    prompt: "Enter a password for p12 certificates and SSH private keys: (minimum five characters)\n"
    default: "vpnpw"
@ -54,6 +59,7 @@
        dns_enabled: "{{ dns_enabled }}"
        proxy_enabled: "{{ proxy_enabled }}"
        ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
+        security_enabled: "{{ security_enabled }}"
        auditd_enabled: " {{ auditd_enabled }}"
        easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
        IP_subject: "{{ IP_subject }}"
@ -75,7 +81,7 @@

  roles:
    - common
-    - security
+    - { role: security, when: security_enabled is defined and security_enabled == "y" }
    - { role: proxy, when: proxy_enabled is defined and proxy_enabled == "y" }
    - { role: dns_adblocking , when: dns_enabled is defined and dns_enabled == "y" }
    - { role: logging, when: auditd_enabled is defined and auditd_enabled == "y" }
--- a/roles/cloud-digitalocean/tasks/main.yml
+++ b/roles/cloud-digitalocean/tasks/main.yml
@ -34,6 +34,7 @@
    dns_enabled: "{{ dns_enabled }}"
    proxy_enabled: "{{ proxy_enabled }}"
    ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
+    security_enabled: "{{ security_enabled }}"
    auditd_enabled: " {{ auditd_enabled }}"
    easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
    cloud_provider: digitalocean
--- a/roles/cloud-ec2/tasks/main.yml
+++ b/roles/cloud-ec2/tasks/main.yml
@ -72,6 +72,7 @@
    dns_enabled: "{{ dns_enabled }}"
    proxy_enabled: "{{ proxy_enabled }}"
    ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
+    security_enabled: "{{ security_enabled }}"
    auditd_enabled: " {{ auditd_enabled }}"
    easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
    cloud_provider: ec2
--- a/roles/cloud-gce/tasks/main.yml
+++ b/roles/cloud-gce/tasks/main.yml
@ -24,6 +24,7 @@
    proxy_enabled: "{{ proxy_enabled }}"
    ssh_tunneling_enabled: "{{ ssh_tunneling_enabled }}"
    auditd_enabled: " {{ auditd_enabled }}"
+    security_enabled: "{{ security_enabled }}"
    easyrsa_p12_export_password: "{{ easyrsa_p12_export_password }}"
    cloud_provider: gce
    ipv6_support: no
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@ -1,9 +1,6 @@
 - name: restart rsyslog
  service: name=rsyslog state=restarted

- name: restart ssh
-  service: name=ssh state=restarted
-
 - name: flush routing cache
  shell: echo 1 > /proc/sys/net/ipv4/route/flush

--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -30,11 +30,6 @@
  when: reboot_required is defined and reboot_required.stdout == 'required'
  become: false

- name: SSH config
-  template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644
-  notify:
-    - restart ssh
-
 - name: Disable MOTD on login and SSHD
  replace: dest="{{ item.file }}" regexp="{{ item.regexp }}" replace="{{ item.line }}"
  with_items:
--- a/roles/security/handlers/main.yml
+++ b/roles/security/handlers/main.yml
@ -1,6 +1,9 @@
 - name: restart rsyslog
  service: name=rsyslog state=restarted

+- name: restart ssh
+  service: name=ssh state=restarted
+
 - name: restart iptables
  service: name=netfilter-persistent state=restarted

--- a/roles/security/tasks/main.yml
+++ b/roles/security/tasks/main.yml
@ -100,3 +100,8 @@
    - { src: rules.v6.j2, dest: /etc/iptables/rules.v6 }
  notify:
    - restart iptables
+
+- name: SSH config
+  template: src=sshd_config.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0644
+  notify:
+    - restart ssh
--- a/roles/security/templates/sshd_config.j2
+++ b/roles/security/templates/sshd_config.j2
--- a/roles/ssh_tunneling/tasks/main.yml
+++ b/roles/ssh_tunneling/tasks/main.yml
@ -1,5 +1,19 @@
 ---

+- name: Ensure that the sshd_config file has desired options
+  blockinfile:
+    dest: /etc/ssh/sshd_config
+    marker: '# ANSIBLE_MANAGED_ssh_tunneling_role'
+    block: |
+      Match Group algo
+          AllowTcpForwarding remote
+          AllowAgentForwarding no
+          AllowStreamLocalForwarding no
+          PermitTunnel no
+          X11Forwarding no
+  notify:
+    - restart ssh
+
 - name: Ensure that the algo group exist
  group: name=algo state=present

--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@ -20,6 +20,20 @@
    - strongswan
    - netfilter-persistent

+- name: Configure iptables so IPSec traffic can traverse the tunnel
+  iptables: table=nat chain=POSTROUTING source="{{ vpn_network }}" jump=MASQUERADE
+  when: (security_enabled is not defined) or
+        (security_enabled is defined and security_enabled != "y")
+  notify:
+    - save iptables
+
+- name: Configure ip6tables so IPSec traffic can traverse the tunnel
+  iptables: ip_version=ipv6 table=nat chain=POSTROUTING source="{{ vpn_network_ipv6 }}" jump=MASQUERADE
+  when: (security_enabled is not defined) or
+        (security_enabled is defined and security_enabled != "y")
+  notify:
+    - save iptables
+
 - name: Ensure that the strongswan group exist
  group: name=strongswan state=present