Support nftables
This commit is contained in:
parent
7ef8dfa40e
commit
78b894192c
|
|
@ -8,4 +8,5 @@
|
||||||
- name: Auth Server setup
|
- name: Auth Server setup
|
||||||
hosts: authservers
|
hosts: authservers
|
||||||
roles:
|
roles:
|
||||||
|
- common
|
||||||
- auth-server
|
- auth-server
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,20 @@
|
||||||
|
[Unit]
|
||||||
|
Description=nftables
|
||||||
|
Documentation=man:nft(8) http://wiki.nftables.org
|
||||||
|
Wants=network-pre.target
|
||||||
|
Before=network-pre.target shutdown.target
|
||||||
|
Conflicts=shutdown.target
|
||||||
|
DefaultDependencies=no
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
RemainAfterExit=yes
|
||||||
|
StandardInput=null
|
||||||
|
ProtectSystem=full
|
||||||
|
ProtectHome=true
|
||||||
|
ExecStart=/usr/sbin/nft -f /etc/nftables.conf
|
||||||
|
ExecReload=/usr/sbin/nft -f /etc/nftables.conf
|
||||||
|
ExecStop=/usr/sbin/nft flush ruleset
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=sysinit.target
|
||||||
|
|
@ -0,0 +1,6 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Restart nftables
|
||||||
|
ansible.builtin.service:
|
||||||
|
name: nftables.service
|
||||||
|
state: restarted
|
||||||
|
|
@ -0,0 +1,44 @@
|
||||||
|
---
|
||||||
|
|
||||||
|
- name: Install nftables
|
||||||
|
ansible.builtin.package:
|
||||||
|
name: nftables
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Get available services
|
||||||
|
ansible.builtin.service_facts:
|
||||||
|
|
||||||
|
|
||||||
|
- name: Create service file
|
||||||
|
ansible.builtin.copy:
|
||||||
|
src: nftables.service
|
||||||
|
dest: /etc/systemd/system/nftables.service
|
||||||
|
state: present
|
||||||
|
when: ansible_facts.services['nftables.service'] is not defined
|
||||||
|
|
||||||
|
- name: Add config file
|
||||||
|
ansible.builtin.template:
|
||||||
|
src: nftables.conf.j2
|
||||||
|
dest: "{{ nftables_main_file[ansible_os_family] | default('/etc/nftables.conf') }}"
|
||||||
|
vars:
|
||||||
|
nftables_main_file:
|
||||||
|
Debian: /etc/nftables.conf
|
||||||
|
RedHat: /etc/nftables/main.nft
|
||||||
|
|
||||||
|
- name: Create subdirs
|
||||||
|
ansible.builtin.file:
|
||||||
|
name: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
with_items:
|
||||||
|
- /etc/nftables/input.d
|
||||||
|
- /etc/nftables/forward.d
|
||||||
|
- /etc/nftables/output.d
|
||||||
|
- /etc/nftables/filter.d
|
||||||
|
- /etc/nftables/global.d
|
||||||
|
|
||||||
|
- name: Enable and start nftables
|
||||||
|
ansible.builtin.systemd_service:
|
||||||
|
name: nftables.service
|
||||||
|
enabled: true
|
||||||
|
state: started
|
||||||
|
daemon_reload: true
|
||||||
|
|
@ -7,3 +7,7 @@
|
||||||
ansible.builtin.package:
|
ansible.builtin.package:
|
||||||
name: sudo
|
name: sudo
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
|
- name: Setup firewall
|
||||||
|
ansible.builtin.include_tasks: firewall.yml
|
||||||
|
when: firewall is defined
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,38 @@
|
||||||
|
#!/usr/sbin/nft -f
|
||||||
|
|
||||||
|
flush ruleset
|
||||||
|
|
||||||
|
include "/etc/nftables/global.d/*.nft";
|
||||||
|
|
||||||
|
table inet filter {
|
||||||
|
include "/etc/nftables/filter.d/*.nft";
|
||||||
|
|
||||||
|
chain input {
|
||||||
|
type filter hook input priority filter; policy {{ firewall.input_policy | default('drop') }};
|
||||||
|
|
||||||
|
iif lo accept
|
||||||
|
|
||||||
|
# Anti-klonootryazvane
|
||||||
|
tcp dport ssh accept
|
||||||
|
ct state established,related accept
|
||||||
|
|
||||||
|
# Don't block ICMP
|
||||||
|
ip protocol icmp accept
|
||||||
|
ip6 nexthdr icmpv6 accept
|
||||||
|
|
||||||
|
include "/etc/nftables/input.d/*.nft";
|
||||||
|
|
||||||
|
# Should we reject or drop?
|
||||||
|
ip protocol tcp reject with tcp reset
|
||||||
|
ip6 nexthdr tcp reject with tcp reset
|
||||||
|
reject
|
||||||
|
}
|
||||||
|
|
||||||
|
chain forward {
|
||||||
|
type filter hook forward priority filter; policy {{ firewall.forward_policy | default('drop') }};
|
||||||
|
}
|
||||||
|
|
||||||
|
chain output {
|
||||||
|
type filter hook output priority filter; policy {{ firewall.output_policy | default('accept') }};
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -16,7 +16,7 @@
|
||||||
uid: "{{ uid | default(omit) }}"
|
uid: "{{ uid | default(omit) }}"
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Add public keys for user '{{ podman_user_name }}'
|
- name: Add public keys for user '{{ user }}'
|
||||||
ansible.posix.authorized_key:
|
ansible.posix.authorized_key:
|
||||||
user: "{{ user }}"
|
user: "{{ user }}"
|
||||||
key: "{{ lookup('file', '../../access/keys/' + item + '.pub') }}"
|
key: "{{ lookup('file', '../../access/keys/' + item + '.pub') }}"
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
(vhost-access-log) {
|
(vhost-access-log) {
|
||||||
log {
|
log {
|
||||||
output file /var/log/caddy/{args[0]}-access.log
|
output file /var/log/caddy/{args.0}-access.log
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,5 @@
|
||||||
|
# HTTP / HTTPS
|
||||||
|
tcp dport { http, https } accept
|
||||||
|
|
||||||
|
# QUIC
|
||||||
|
udp dport https accept
|
||||||
|
|
@ -17,9 +17,26 @@
|
||||||
with_items:
|
with_items:
|
||||||
- /etc/caddy/sites-available
|
- /etc/caddy/sites-available
|
||||||
- /etc/caddy/sites-enabled
|
- /etc/caddy/sites-enabled
|
||||||
|
- /var/log/caddy
|
||||||
|
|
||||||
|
- name: Configure logging dir
|
||||||
|
ansible.builtin.file:
|
||||||
|
path: "{{ item }}"
|
||||||
|
state: directory
|
||||||
|
owner: caddy
|
||||||
|
group: caddy
|
||||||
|
with_items:
|
||||||
|
- /var/log/caddy
|
||||||
|
|
||||||
- name: Enable and start the Caddy server
|
- name: Enable and start the Caddy server
|
||||||
ansible.builtin.service:
|
ansible.builtin.service:
|
||||||
name: caddy.service
|
name: caddy.service
|
||||||
enabled: true
|
enabled: true
|
||||||
state: started
|
state: started
|
||||||
|
|
||||||
|
- name: Configure nftables
|
||||||
|
ansible.builtin.copy:
|
||||||
|
dest: /etc/nftables/input.d/caddy.nft
|
||||||
|
src: caddy.nft
|
||||||
|
when: firewall is defined
|
||||||
|
notify: Restart nftables
|
||||||
|
|
|
||||||
|
|
@ -3,9 +3,6 @@
|
||||||
- name: Check params
|
- name: Check params
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- app_name is defined
|
|
||||||
- external_url is defined
|
|
||||||
- proxy_url is defined
|
|
||||||
- not(tls.type == "cloudflare" and tls.cloudflare_token is undefined)
|
- not(tls.type == "cloudflare" and tls.cloudflare_token is undefined)
|
||||||
- not(tls.type == "file" and (tls.cert is undefined or tls.key is undefined))
|
- not(tls.type == "file" and (tls.cert is undefined or tls.key is undefined))
|
||||||
- tls.type is not defined or (tls.type in ['auto', 'internal', 'cloudflare', 'file'] )
|
- tls.type is not defined or (tls.type in ['auto', 'internal', 'cloudflare', 'file'] )
|
||||||
|
|
@ -16,7 +13,7 @@
|
||||||
|
|
||||||
- name: Template vhost file
|
- name: Template vhost file
|
||||||
ansible.builtin.template:
|
ansible.builtin.template:
|
||||||
src: vhost.caddy.j2
|
src: "{{ template_file | default('vhost.caddy.j2') }}"
|
||||||
dest: "/etc/caddy/sites-available/{{ app_name }}.caddy"
|
dest: "/etc/caddy/sites-available/{{ app_name }}.caddy"
|
||||||
|
|
||||||
- name: Symlink vhost
|
- name: Symlink vhost
|
||||||
|
|
|
||||||
|
|
@ -13,5 +13,5 @@
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
reverse_proxy {{ proxy_url }}
|
reverse_proxy {{ proxy_url }}
|
||||||
import vhost-access-log {{ app_name }}
|
import vhost-access-log {{ app_name | default('default') }}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue