Compare commits

...

13 commits

Author SHA1 Message Date
f
fee595921c interconnect servers through the ekumen 2022-06-19 02:59:17 -03:00
f
2eef8b1a49 send syslog to a central server 2022-06-19 02:56:50 -03:00
f
244de034d8 don't modify the firewall 2022-06-19 02:52:54 -03:00
f
e3a5854361 general method for adding configuration files 2022-06-19 02:52:24 -03:00
f
ac9f6ba592 keep clock updated 2022-06-19 02:50:58 -03:00
f
1f650c21a7 also install packages from the configured alpine version #1 2022-06-19 02:46:26 -03:00
f
737c8c9129 docker data is encrypted 2022-06-19 02:45:45 -03:00
f
aaee98f089 templates follow dir tree 2022-06-18 23:48:22 -03:00
f
cd6a30e9c4 open SSH port! 2022-06-18 23:40:49 -03:00
f
2b18ae91e6 don't start root read only
otherwise services can't start
2022-06-18 22:43:18 -03:00
f
88f049324d enable ipset 2022-06-18 22:43:03 -03:00
f
d835871964 install bootloader correctly 2022-06-18 22:42:29 -03:00
f
55c3c5f052 unneeded rules 2022-06-18 19:53:48 -03:00
28 changed files with 213 additions and 39 deletions

1
.gitignore vendored
View file

@ -1 +1,2 @@
vault.key vault.key
ekumen/

View file

@ -100,7 +100,20 @@ ssh-copy-id root@your.host.name
## Configuring the playbook ## Configuring the playbook
Create a vault password: ### General configuration
#### Syslog
Syslog-ng is used to centralize logging into a single node. Edit the IP
address for your log server on `alpines.yml`:
```yaml
vars:
- log_server: "EKU:MEN:IP:ADD::RESS"
+ log_server: "10.13.12.1"
```
### Create a vault password
```bash ```bash
make vault.key make vault.key

View file

@ -5,6 +5,7 @@
vars: vars:
alpine_version: 3.16 alpine_version: 3.16
apk_version: 2.12.9-r3 apk_version: 2.12.9-r3
log_server: "EKU:MEN:IP:ADD::RESS"
packages: packages:
- alpine-base - alpine-base
- linux-virt - linux-virt
@ -24,6 +25,7 @@
- tinc - tinc
- prometheus-node-exporter - prometheus-node-exporter
- prometheus-node-exporter-openrc - prometheus-node-exporter-openrc
- ntpsec
tasks: tasks:
- include_tasks: "tasks/partition.yml" - include_tasks: "tasks/partition.yml"
- include_tasks: "tasks/encrypt.yml" - include_tasks: "tasks/encrypt.yml"

View file

@ -5,3 +5,4 @@
tasks: tasks:
- include_tasks: "tasks/encrypt.yml" - include_tasks: "tasks/encrypt.yml"
- include_tasks: "tasks/docker.yml" - include_tasks: "tasks/docker.yml"
- include_tasks: "tasks/ekumen.yml"

View file

@ -1,14 +1,14 @@
--- ---
- name: "Install syslinux bootloader" - name: "Install syslinux bootloader"
template: template:
src: "templates/update-extlinux.conf.j2" src: "templates/etc/update-extlinux.conf.j2"
dest: "/mnt/etc/update-extlinux.conf" dest: "/mnt/etc/update-extlinux.conf"
mode: "0644" mode: "0644"
- name: "Update configuration"
shell: "PATH=/usr/bin:/usr/sbin:/bin:/sbin chroot /mnt /sbin/update-extlinux"
- name: "Install bootloader in MBR. This is how `setup-disk` does it." - name: "Install bootloader in MBR. This is how `setup-disk` does it."
shell: "cat /mnt/usr/share/syslinux/mbr.bin > {{ disk_device }}" shell: "cat /mnt/usr/share/syslinux/mbr.bin > {{ disk_device }}"
- name: "Install syslinux configuration into /boot using chroot." - name: "Install syslinux configuration into /boot using chroot."
shell: "PATH=/usr/bin:/usr/sbin:/bin:/sbin chroot /mnt /sbin/extlinux --install /boot" shell: "PATH=/usr/bin:/usr/sbin:/bin:/sbin chroot /mnt /sbin/extlinux --install /boot"
- name: "Update configuration"
shell: "PATH=/usr/bin:/usr/sbin:/bin:/sbin chroot /mnt /sbin/update-extlinux"
- name: "Generate initramfs." - name: "Generate initramfs."
shell: "PATH=/usr/bin:/usr/sbin:/bin:/sbin chroot /mnt /bin/sh -c 'ls /lib/modules | xargs /sbin/mkinitfs -K'" shell: "PATH=/usr/bin:/usr/sbin:/bin:/sbin chroot /mnt /bin/sh -c 'ls /lib/modules | xargs /sbin/mkinitfs -K'"

View file

@ -1,4 +1,9 @@
--- ---
# TODO: Use a BTRFS subvolume instead?
- name: "Mount encrypted partition to /srv."
shell: "mount /srv"
args:
creates: "/srv/docker"
- name: "Prepare /srv to encrypt Docker files." - name: "Prepare /srv to encrypt Docker files."
file: file:
state: "directory" state: "directory"
@ -7,11 +12,6 @@
- "/srv/docker" - "/srv/docker"
- "/var/lib/docker" - "/var/lib/docker"
- name: "Bind mount /srv/docker to /var/lib/docker." - name: "Bind mount /srv/docker to /var/lib/docker."
mount: shell: "mount /var/lib/docker"
state: "mounted"
src: "/srv/docker"
path: "/var/lib/docker"
opts: "bind"
fstype: "none"
- name: "Start Docker service." - name: "Start Docker service."
shell: "/etc/init.d/docker start" shell: "/etc/init.d/docker start"

View file

@ -9,7 +9,7 @@
creates: "/mnt/etc/apk/keys" creates: "/mnt/etc/apk/keys"
- name: "Enable repositories." - name: "Enable repositories."
template: template:
src: "templates/repositories.j2" src: "templates/etc/apk/repositories.j2"
dest: "/mnt/etc/apk/repositories" dest: "/mnt/etc/apk/repositories"
mode: "0600" mode: "0600"
- name: "Install packages with signature verification. Update if already present." - name: "Install packages with signature verification. Update if already present."
@ -17,14 +17,17 @@
loop: "{{ packages }}" loop: "{{ packages }}"
- name: "Tell Alpine how to mount partitions after boot." - name: "Tell Alpine how to mount partitions after boot."
template: template:
src: "templates/fstab.j2" src: "templates/etc/fstab.j2"
dest: "/mnt/etc/fstab" dest: "/mnt/etc/fstab"
mode: "0755" mode: "0755"
- name: "Load BTRFS module on boot" - name: "Load modules on boot"
shell: "grep -q btrfs /mnt/etc/modules || echo btrfs >> /mnt/etc/modules" template:
src: "templates/etc/modules.j2"
dest: "/mnt/etc/modules"
mode: "0640"
- name: "And which features to include into initramfs." - name: "And which features to include into initramfs."
template: template:
src: "templates/mkinitfs.conf.j2" src: "templates/etc/mkinitfs/mkinitfs.conf.j2"
dest: "/mnt/etc/mkinitfs/mkinitfs.conf" dest: "/mnt/etc/mkinitfs/mkinitfs.conf"
mode: "0750" mode: "0750"
- name: "Copy SSH host keys from the live system." - name: "Copy SSH host keys from the live system."
@ -44,11 +47,11 @@
creates: "/mnt/root/.ssh/authorized_keys" creates: "/mnt/root/.ssh/authorized_keys"
- name: "Install network configuration." - name: "Install network configuration."
template: template:
src: "templates/interfaces.j2" src: "templates/etc/network/interfaces.j2"
dest: "/mnt/etc/network/interfaces" dest: "/mnt/etc/network/interfaces"
- name: "And DNS resolvers." - name: "And DNS resolvers."
template: template:
src: "templates/resolv.conf.j2" src: "templates/etc/resolv.conf.j2"
dest: "/mnt/etc/resolv.conf" dest: "/mnt/etc/resolv.conf"
- name: "Set hostname." - name: "Set hostname."
shell: "echo {{ inventory_hostname }} > /etc/hostname" shell: "echo {{ inventory_hostname }} > /etc/hostname"

View file

@ -25,7 +25,7 @@
- runlevel: "boot" - runlevel: "boot"
service: "bootmisc" service: "bootmisc"
- runlevel: "boot" - runlevel: "boot"
service: "syslog" service: "syslog-ng"
- runlevel: "shutdown" - runlevel: "shutdown"
service: "mount-ro" service: "mount-ro"
- runlevel: "shutdown" - runlevel: "shutdown"
@ -34,6 +34,8 @@
service: "savecache" service: "savecache"
- runlevel: "default" - runlevel: "default"
service: "networking" service: "networking"
- runlevel: "default"
service: "ipset"
- runlevel: "default" - runlevel: "default"
service: "iptables" service: "iptables"
- runlevel: "default" - runlevel: "default"
@ -46,19 +48,35 @@
service: "hwclock" service: "hwclock"
- runlevel: "boot" - runlevel: "boot"
service: "swclock" service: "swclock"
- name: "Install firewall rules." - runlevel: "default"
service: "ntpd"
- name: "Install configuration files."
template:
src: "templates/{{ item }}"
dest: "{{ item }}"
mode: "640"
loop:
- /etc/conf.d/iptables
- /etc/conf.d/ip6tables
- /etc/conf.d/tinc.networks
- /etc/iptables/rules6-save
- /etc/iptables/rules-save
- /etc/ipset.d/blocklist4
- /etc/ipset.d/blocklist6
- /etc/syslog-ng/syslog-ng.conf
- name: "Create NTP directories."
file:
state: "directory"
path: "{{ item }}"
loop:
- "/var/NTP"
- "/var/lib/ntp"
- name: "And services."
template: template:
src: "templates/{{ item }}.j2" src: "templates/{{ item }}.j2"
dest: "/mnt/etc/iptables/{{ item }}" dest: "{{ item }}"
mode: "750"
loop: loop:
- rules-save - /etc/init.d/ntpd
- rules6-save
- name: "And blocklists."
template:
src: "templates/{{ item }}.j2"
dest: "/mnt/etc/ipset.d/{{ item }}"
loop:
- blocklist4
- blocklist6
- name: "Reboot!" - name: "Reboot!"
reboot: reboot:

View file

@ -0,0 +1,2 @@
http://dl-cdn.alpinelinux.org/alpine/v{{ alpine_version }}/main
http://dl-cdn.alpinelinux.org/alpine/v{{ alpine_version }}/community

View file

@ -0,0 +1,14 @@
# /etc/conf.d/ip6tables
# Location in which ip6tables initscript will save set rules on
# service shutdown
IP6TABLES_SAVE="/etc/iptables/rules6-save"
# Options to pass to ip6tables-save and ip6tables-restore
SAVE_RESTORE_OPTIONS="-c"
# Save state on stopping iptables
SAVE_ON_STOP="no"
# Enable/disable IPv6 forwarding with the rules
IPFORWARD="no"

View file

@ -0,0 +1,14 @@
# /etc/conf.d/iptables
# Location in which iptables initscript will save set rules on
# service shutdown
IPTABLES_SAVE="/etc/iptables/rules-save"
# Options to pass to iptables-save and iptables-restore
SAVE_RESTORE_OPTIONS="-c"
# Save state on stopping iptables
SAVE_ON_STOP="no"
# Enable/disable IPv4 forwarding with the rules
IPFORWARD="no"

View file

@ -0,0 +1 @@
NETWORK: ekumen

5
templates/etc/fstab.j2 Normal file
View file

@ -0,0 +1,5 @@
{{disk_device}}2 / btrfs compress=zstd,noatime,nodiratime,lazytime,discard 0 1
{{disk_device}}1 /boot ext2 noatime,nodiratime,lazytime,ro 0 2
/dev/mapper/srv /srv btrfs compress=zstd,noatime,nodiratime,lazytime,discard,noauto 0 2
tmpfs /var/log tmpfs defaults 0 0
/srv/docker /var/lib/docker none bind 0 0

20
templates/etc/init.d/ntpd.j2 Executable file
View file

@ -0,0 +1,20 @@
#!/sbin/openrc-run
DAEMON="/usr/sbin/ntpd"
PIDFILE="/var/run/ntpd.pid"
depend() {
need net
}
start() {
ebegin "Starting NTPSec"
start-stop-daemon --start --exec "${DAEMON}" --pidfile "${PIDFILE}"
eend $?
}
stop() {
ebegin "Stopping NTPSec"
start-stop-daemon --stop --pidfile "${PIDFILE}"
eend $?
}

View file

@ -6,7 +6,8 @@
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack ! --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack ! --ctstate NEW -j REJECT --reject-with tcp-reset
-A INPUT -i lo -j ACCEPT -A INPUT -i lo -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p udp --dport 65000 -j ACCEPT
-A INPUT -p tcp --dport 65000 -j ACCEPT
COMMIT COMMIT

View file

@ -7,7 +7,10 @@
-A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmpv6 -j ACCEPT -A INPUT -p icmpv6 -j ACCEPT
-A FORWARD -p icmpv6 -j ACCEPT -A FORWARD -p icmpv6 -j ACCEPT
-A INPUT -p udp -m conntrack ! --ctstate NEW -j REJECT --reject-with icmp6-port-unreachable
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack ! --ctstate NEW -j REJECT --reject-with tcp-reset
-A INPUT -i lo -j ACCEPT -A INPUT -i lo -j ACCEPT
{% if ip6 is defined %}
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p udp --dport 65000 -j ACCEPT
-A INPUT -p tcp --dport 65000 -j ACCEPT
{% endif %}
COMMIT COMMIT

4
templates/etc/modules.j2 Normal file
View file

@ -0,0 +1,4 @@
af_packet
ipv6
btrfs
tun

5
templates/etc/ntp.conf Normal file
View file

@ -0,0 +1,5 @@
pool pool.ntp.org
driftfile /var/lib/ntp/ntp.drift
restrict default kod limited nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1

View file

@ -0,0 +1,73 @@
@version:3.36
@include "scl.conf"
# syslog-ng configuration file.
#
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
#
# Note: It also sources additional configuration files (*.conf)
# located in /etc/syslog-ng/conf.d/.
#
# Options
#
options {
# Create destination directories if missing.
create_dirs(yes);
# The default action of syslog-ng is to log a MARK line to the file every
# 20 minutes. That's seems high for most people so turn it down to once an
# hour. Set it to zero if you don't want the functionality at all.
mark_freq(3600);
# The default action of syslog-ng is to log a STATS line to the file every
# 10 minutes. That's pretty ugly after a while. Change it to every 12 hours
# so you get a nice daily update of how many messages syslog-ng missed (0).
stats_freq(43200);
# Time to wait before a died connection is re-established (default is 60).
time_reopen(5);
# Disable DNS usage.
# syslog-ng blocks on DNS queries, so enabling DNS may lead to a DoS attack.
use_dns(no);
dns-cache(no);
# Default owner, group, and permissions for log files.
owner(root);
group(adm);
perm(0640);
# Default permissions for created directories.
dir_perm(0755);
keep_hostname(yes);
};
#
# Templates
#
template t_file {
template("${YEAR}-${MONTH}-${DAY} ${HOUR}:${MIN}:${SEC} ${LEVEL} ${MSGHDR}${MSG}\n");
};
#
# Sources
#
source s_sys {
# Standard system log source.
system();
# Messages generated by syslog-ng.
internal();
};
destination d_loghost { udp("{{ log_server }}" port(514)); };
log { source(s_sys); destination(d_loghost); };
# Source additional configuration files (.conf extension only)
@include "/etc/syslog-ng/conf.d/*.conf"

View file

@ -1,4 +0,0 @@
{{disk_device}}2 / btrfs compress=zstd,noatime,nodiratime,lazytime,discard,ro 0 1
{{disk_device}}1 /boot ext2 noatime,nodiratime,lazytime,ro 0 2
/dev/mapper/srv /srv btrfs compress=zstd,noatime,nodiratime,lazytime,discard,noauto 0 2
tmpfs /var/log tmpfs defaults 0 0

View file

@ -1,2 +0,0 @@
http://dl-cdn.alpinelinux.org/alpine/v3.15/main
http://dl-cdn.alpinelinux.org/alpine/v3.15/community