From 78b894192c5beb2808cbf616afd014618a1ee4f4 Mon Sep 17 00:00:00 2001 From: Albert Stefanov Date: Sun, 18 Feb 2024 09:52:10 +0200 Subject: [PATCH] Support nftables --- ansible/main.yml | 1 + ansible/roles/common/files/nftables.service | 20 +++++++++ ansible/roles/common/handlers/main.yml | 6 +++ ansible/roles/common/tasks/firewall.yml | 44 +++++++++++++++++++ ansible/roles/common/tasks/main.yml | 4 ++ .../roles/common/templates/nftables.conf.j2 | 38 ++++++++++++++++ ansible/roles/container-user/tasks/main.yml | 2 +- ansible/roles/reverse-proxy/files/Caddyfile | 2 +- ansible/roles/reverse-proxy/files/caddy.nft | 5 +++ ansible/roles/reverse-proxy/tasks/main.yml | 17 +++++++ ansible/tasks/create_vhost.yml | 5 +-- ansible/templates/vhost.caddy.j2 | 2 +- 12 files changed, 139 insertions(+), 7 deletions(-) create mode 100644 ansible/roles/common/files/nftables.service create mode 100644 ansible/roles/common/handlers/main.yml create mode 100644 ansible/roles/common/tasks/firewall.yml create mode 100644 ansible/roles/common/templates/nftables.conf.j2 create mode 100644 ansible/roles/reverse-proxy/files/caddy.nft diff --git a/ansible/main.yml b/ansible/main.yml index 2943d10..49c95cf 100644 --- a/ansible/main.yml +++ b/ansible/main.yml @@ -8,4 +8,5 @@ - name: Auth Server setup hosts: authservers roles: + - common - auth-server diff --git a/ansible/roles/common/files/nftables.service b/ansible/roles/common/files/nftables.service new file mode 100644 index 0000000..769c9fc --- /dev/null +++ b/ansible/roles/common/files/nftables.service @@ -0,0 +1,20 @@ +[Unit] +Description=nftables +Documentation=man:nft(8) http://wiki.nftables.org +Wants=network-pre.target +Before=network-pre.target shutdown.target +Conflicts=shutdown.target +DefaultDependencies=no + +[Service] +Type=oneshot +RemainAfterExit=yes +StandardInput=null +ProtectSystem=full +ProtectHome=true +ExecStart=/usr/sbin/nft -f /etc/nftables.conf +ExecReload=/usr/sbin/nft -f /etc/nftables.conf +ExecStop=/usr/sbin/nft flush ruleset + +[Install] +WantedBy=sysinit.target diff --git a/ansible/roles/common/handlers/main.yml b/ansible/roles/common/handlers/main.yml new file mode 100644 index 0000000..005041f --- /dev/null +++ b/ansible/roles/common/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: Restart nftables + ansible.builtin.service: + name: nftables.service + state: restarted diff --git a/ansible/roles/common/tasks/firewall.yml b/ansible/roles/common/tasks/firewall.yml new file mode 100644 index 0000000..36d86bf --- /dev/null +++ b/ansible/roles/common/tasks/firewall.yml @@ -0,0 +1,44 @@ +--- + +- name: Install nftables + ansible.builtin.package: + name: nftables + state: present + +- name: Get available services + ansible.builtin.service_facts: + + +- name: Create service file + ansible.builtin.copy: + src: nftables.service + dest: /etc/systemd/system/nftables.service + state: present + when: ansible_facts.services['nftables.service'] is not defined + +- name: Add config file + ansible.builtin.template: + src: nftables.conf.j2 + dest: "{{ nftables_main_file[ansible_os_family] | default('/etc/nftables.conf') }}" + vars: + nftables_main_file: + Debian: /etc/nftables.conf + RedHat: /etc/nftables/main.nft + +- name: Create subdirs + ansible.builtin.file: + name: "{{ item }}" + state: directory + with_items: + - /etc/nftables/input.d + - /etc/nftables/forward.d + - /etc/nftables/output.d + - /etc/nftables/filter.d + - /etc/nftables/global.d + +- name: Enable and start nftables + ansible.builtin.systemd_service: + name: nftables.service + enabled: true + state: started + daemon_reload: true diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml index b03523d..9440094 100644 --- a/ansible/roles/common/tasks/main.yml +++ b/ansible/roles/common/tasks/main.yml @@ -7,3 +7,7 @@ ansible.builtin.package: name: sudo state: present + +- name: Setup firewall + ansible.builtin.include_tasks: firewall.yml + when: firewall is defined diff --git a/ansible/roles/common/templates/nftables.conf.j2 b/ansible/roles/common/templates/nftables.conf.j2 new file mode 100644 index 0000000..dab350f --- /dev/null +++ b/ansible/roles/common/templates/nftables.conf.j2 @@ -0,0 +1,38 @@ +#!/usr/sbin/nft -f + +flush ruleset + +include "/etc/nftables/global.d/*.nft"; + +table inet filter { + include "/etc/nftables/filter.d/*.nft"; + + chain input { + type filter hook input priority filter; policy {{ firewall.input_policy | default('drop') }}; + + iif lo accept + + # Anti-klonootryazvane + tcp dport ssh accept + ct state established,related accept + + # Don't block ICMP + ip protocol icmp accept + ip6 nexthdr icmpv6 accept + + include "/etc/nftables/input.d/*.nft"; + + # Should we reject or drop? + ip protocol tcp reject with tcp reset + ip6 nexthdr tcp reject with tcp reset + reject + } + + chain forward { + type filter hook forward priority filter; policy {{ firewall.forward_policy | default('drop') }}; + } + + chain output { + type filter hook output priority filter; policy {{ firewall.output_policy | default('accept') }}; + } +} diff --git a/ansible/roles/container-user/tasks/main.yml b/ansible/roles/container-user/tasks/main.yml index 12495a7..5917c47 100644 --- a/ansible/roles/container-user/tasks/main.yml +++ b/ansible/roles/container-user/tasks/main.yml @@ -16,7 +16,7 @@ uid: "{{ uid | default(omit) }}" state: present -- name: Add public keys for user '{{ podman_user_name }}' +- name: Add public keys for user '{{ user }}' ansible.posix.authorized_key: user: "{{ user }}" key: "{{ lookup('file', '../../access/keys/' + item + '.pub') }}" diff --git a/ansible/roles/reverse-proxy/files/Caddyfile b/ansible/roles/reverse-proxy/files/Caddyfile index cc7db48..3011109 100644 --- a/ansible/roles/reverse-proxy/files/Caddyfile +++ b/ansible/roles/reverse-proxy/files/Caddyfile @@ -1,6 +1,6 @@ (vhost-access-log) { log { - output file /var/log/caddy/{args[0]}-access.log + output file /var/log/caddy/{args.0}-access.log } } diff --git a/ansible/roles/reverse-proxy/files/caddy.nft b/ansible/roles/reverse-proxy/files/caddy.nft new file mode 100644 index 0000000..c5493dd --- /dev/null +++ b/ansible/roles/reverse-proxy/files/caddy.nft @@ -0,0 +1,5 @@ +# HTTP / HTTPS +tcp dport { http, https } accept + +# QUIC +udp dport https accept diff --git a/ansible/roles/reverse-proxy/tasks/main.yml b/ansible/roles/reverse-proxy/tasks/main.yml index c6965a7..a0a0ba9 100644 --- a/ansible/roles/reverse-proxy/tasks/main.yml +++ b/ansible/roles/reverse-proxy/tasks/main.yml @@ -17,9 +17,26 @@ with_items: - /etc/caddy/sites-available - /etc/caddy/sites-enabled + - /var/log/caddy + +- name: Configure logging dir + ansible.builtin.file: + path: "{{ item }}" + state: directory + owner: caddy + group: caddy + with_items: + - /var/log/caddy - name: Enable and start the Caddy server ansible.builtin.service: name: caddy.service enabled: true state: started + +- name: Configure nftables + ansible.builtin.copy: + dest: /etc/nftables/input.d/caddy.nft + src: caddy.nft + when: firewall is defined + notify: Restart nftables diff --git a/ansible/tasks/create_vhost.yml b/ansible/tasks/create_vhost.yml index 9ea16ff..46f6688 100644 --- a/ansible/tasks/create_vhost.yml +++ b/ansible/tasks/create_vhost.yml @@ -3,9 +3,6 @@ - name: Check params ansible.builtin.assert: that: - - app_name is defined - - external_url is defined - - proxy_url is defined - not(tls.type == "cloudflare" and tls.cloudflare_token is undefined) - not(tls.type == "file" and (tls.cert is undefined or tls.key is undefined)) - tls.type is not defined or (tls.type in ['auto', 'internal', 'cloudflare', 'file'] ) @@ -16,7 +13,7 @@ - name: Template vhost file ansible.builtin.template: - src: vhost.caddy.j2 + src: "{{ template_file | default('vhost.caddy.j2') }}" dest: "/etc/caddy/sites-available/{{ app_name }}.caddy" - name: Symlink vhost diff --git a/ansible/templates/vhost.caddy.j2 b/ansible/templates/vhost.caddy.j2 index 58b2cd9..3d95208 100644 --- a/ansible/templates/vhost.caddy.j2 +++ b/ansible/templates/vhost.caddy.j2 @@ -13,5 +13,5 @@ {% endif %} reverse_proxy {{ proxy_url }} - import vhost-access-log {{ app_name }} + import vhost-access-log {{ app_name | default('default') }} }