Compare commits
13 commits
b71c8b9f92
...
fee595921c
Author | SHA1 | Date | |
---|---|---|---|
|
fee595921c | ||
|
2eef8b1a49 | ||
|
244de034d8 | ||
|
e3a5854361 | ||
|
ac9f6ba592 | ||
|
1f650c21a7 | ||
|
737c8c9129 | ||
|
aaee98f089 | ||
|
cd6a30e9c4 | ||
|
2b18ae91e6 | ||
|
88f049324d | ||
|
d835871964 | ||
|
55c3c5f052 |
28 changed files with 213 additions and 39 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
@ -1 +1,2 @@
|
|||
vault.key
|
||||
ekumen/
|
||||
|
|
15
README.md
15
README.md
|
@ -100,7 +100,20 @@ ssh-copy-id root@your.host.name
|
|||
|
||||
## Configuring the playbook
|
||||
|
||||
Create a vault password:
|
||||
### General configuration
|
||||
|
||||
#### Syslog
|
||||
|
||||
Syslog-ng is used to centralize logging into a single node. Edit the IP
|
||||
address for your log server on `alpines.yml`:
|
||||
|
||||
```yaml
|
||||
vars:
|
||||
- log_server: "EKU:MEN:IP:ADD::RESS"
|
||||
+ log_server: "10.13.12.1"
|
||||
```
|
||||
|
||||
### Create a vault password
|
||||
|
||||
```bash
|
||||
make vault.key
|
||||
|
|
|
@ -5,6 +5,7 @@
|
|||
vars:
|
||||
alpine_version: 3.16
|
||||
apk_version: 2.12.9-r3
|
||||
log_server: "EKU:MEN:IP:ADD::RESS"
|
||||
packages:
|
||||
- alpine-base
|
||||
- linux-virt
|
||||
|
@ -24,6 +25,7 @@
|
|||
- tinc
|
||||
- prometheus-node-exporter
|
||||
- prometheus-node-exporter-openrc
|
||||
- ntpsec
|
||||
tasks:
|
||||
- include_tasks: "tasks/partition.yml"
|
||||
- include_tasks: "tasks/encrypt.yml"
|
||||
|
|
|
@ -5,3 +5,4 @@
|
|||
tasks:
|
||||
- include_tasks: "tasks/encrypt.yml"
|
||||
- include_tasks: "tasks/docker.yml"
|
||||
- include_tasks: "tasks/ekumen.yml"
|
||||
|
|
|
@ -1,14 +1,14 @@
|
|||
---
|
||||
- name: "Install syslinux bootloader"
|
||||
template:
|
||||
src: "templates/update-extlinux.conf.j2"
|
||||
src: "templates/etc/update-extlinux.conf.j2"
|
||||
dest: "/mnt/etc/update-extlinux.conf"
|
||||
mode: "0644"
|
||||
- name: "Update configuration"
|
||||
shell: "PATH=/usr/bin:/usr/sbin:/bin:/sbin chroot /mnt /sbin/update-extlinux"
|
||||
- name: "Install bootloader in MBR. This is how `setup-disk` does it."
|
||||
shell: "cat /mnt/usr/share/syslinux/mbr.bin > {{ disk_device }}"
|
||||
- name: "Install syslinux configuration into /boot using chroot."
|
||||
shell: "PATH=/usr/bin:/usr/sbin:/bin:/sbin chroot /mnt /sbin/extlinux --install /boot"
|
||||
- name: "Update configuration"
|
||||
shell: "PATH=/usr/bin:/usr/sbin:/bin:/sbin chroot /mnt /sbin/update-extlinux"
|
||||
- name: "Generate initramfs."
|
||||
shell: "PATH=/usr/bin:/usr/sbin:/bin:/sbin chroot /mnt /bin/sh -c 'ls /lib/modules | xargs /sbin/mkinitfs -K'"
|
||||
|
|
|
@ -1,4 +1,9 @@
|
|||
---
|
||||
# TODO: Use a BTRFS subvolume instead?
|
||||
- name: "Mount encrypted partition to /srv."
|
||||
shell: "mount /srv"
|
||||
args:
|
||||
creates: "/srv/docker"
|
||||
- name: "Prepare /srv to encrypt Docker files."
|
||||
file:
|
||||
state: "directory"
|
||||
|
@ -7,11 +12,6 @@
|
|||
- "/srv/docker"
|
||||
- "/var/lib/docker"
|
||||
- name: "Bind mount /srv/docker to /var/lib/docker."
|
||||
mount:
|
||||
state: "mounted"
|
||||
src: "/srv/docker"
|
||||
path: "/var/lib/docker"
|
||||
opts: "bind"
|
||||
fstype: "none"
|
||||
shell: "mount /var/lib/docker"
|
||||
- name: "Start Docker service."
|
||||
shell: "/etc/init.d/docker start"
|
||||
|
|
|
@ -9,7 +9,7 @@
|
|||
creates: "/mnt/etc/apk/keys"
|
||||
- name: "Enable repositories."
|
||||
template:
|
||||
src: "templates/repositories.j2"
|
||||
src: "templates/etc/apk/repositories.j2"
|
||||
dest: "/mnt/etc/apk/repositories"
|
||||
mode: "0600"
|
||||
- name: "Install packages with signature verification. Update if already present."
|
||||
|
@ -17,14 +17,17 @@
|
|||
loop: "{{ packages }}"
|
||||
- name: "Tell Alpine how to mount partitions after boot."
|
||||
template:
|
||||
src: "templates/fstab.j2"
|
||||
src: "templates/etc/fstab.j2"
|
||||
dest: "/mnt/etc/fstab"
|
||||
mode: "0755"
|
||||
- name: "Load BTRFS module on boot"
|
||||
shell: "grep -q btrfs /mnt/etc/modules || echo btrfs >> /mnt/etc/modules"
|
||||
- name: "Load modules on boot"
|
||||
template:
|
||||
src: "templates/etc/modules.j2"
|
||||
dest: "/mnt/etc/modules"
|
||||
mode: "0640"
|
||||
- name: "And which features to include into initramfs."
|
||||
template:
|
||||
src: "templates/mkinitfs.conf.j2"
|
||||
src: "templates/etc/mkinitfs/mkinitfs.conf.j2"
|
||||
dest: "/mnt/etc/mkinitfs/mkinitfs.conf"
|
||||
mode: "0750"
|
||||
- name: "Copy SSH host keys from the live system."
|
||||
|
@ -44,11 +47,11 @@
|
|||
creates: "/mnt/root/.ssh/authorized_keys"
|
||||
- name: "Install network configuration."
|
||||
template:
|
||||
src: "templates/interfaces.j2"
|
||||
src: "templates/etc/network/interfaces.j2"
|
||||
dest: "/mnt/etc/network/interfaces"
|
||||
- name: "And DNS resolvers."
|
||||
template:
|
||||
src: "templates/resolv.conf.j2"
|
||||
src: "templates/etc/resolv.conf.j2"
|
||||
dest: "/mnt/etc/resolv.conf"
|
||||
- name: "Set hostname."
|
||||
shell: "echo {{ inventory_hostname }} > /etc/hostname"
|
||||
|
|
|
@ -25,7 +25,7 @@
|
|||
- runlevel: "boot"
|
||||
service: "bootmisc"
|
||||
- runlevel: "boot"
|
||||
service: "syslog"
|
||||
service: "syslog-ng"
|
||||
- runlevel: "shutdown"
|
||||
service: "mount-ro"
|
||||
- runlevel: "shutdown"
|
||||
|
@ -34,6 +34,8 @@
|
|||
service: "savecache"
|
||||
- runlevel: "default"
|
||||
service: "networking"
|
||||
- runlevel: "default"
|
||||
service: "ipset"
|
||||
- runlevel: "default"
|
||||
service: "iptables"
|
||||
- runlevel: "default"
|
||||
|
@ -46,19 +48,35 @@
|
|||
service: "hwclock"
|
||||
- runlevel: "boot"
|
||||
service: "swclock"
|
||||
- name: "Install firewall rules."
|
||||
- runlevel: "default"
|
||||
service: "ntpd"
|
||||
- name: "Install configuration files."
|
||||
template:
|
||||
src: "templates/{{ item }}"
|
||||
dest: "{{ item }}"
|
||||
mode: "640"
|
||||
loop:
|
||||
- /etc/conf.d/iptables
|
||||
- /etc/conf.d/ip6tables
|
||||
- /etc/conf.d/tinc.networks
|
||||
- /etc/iptables/rules6-save
|
||||
- /etc/iptables/rules-save
|
||||
- /etc/ipset.d/blocklist4
|
||||
- /etc/ipset.d/blocklist6
|
||||
- /etc/syslog-ng/syslog-ng.conf
|
||||
- name: "Create NTP directories."
|
||||
file:
|
||||
state: "directory"
|
||||
path: "{{ item }}"
|
||||
loop:
|
||||
- "/var/NTP"
|
||||
- "/var/lib/ntp"
|
||||
- name: "And services."
|
||||
template:
|
||||
src: "templates/{{ item }}.j2"
|
||||
dest: "/mnt/etc/iptables/{{ item }}"
|
||||
dest: "{{ item }}"
|
||||
mode: "750"
|
||||
loop:
|
||||
- rules-save
|
||||
- rules6-save
|
||||
- name: "And blocklists."
|
||||
template:
|
||||
src: "templates/{{ item }}.j2"
|
||||
dest: "/mnt/etc/ipset.d/{{ item }}"
|
||||
loop:
|
||||
- blocklist4
|
||||
- blocklist6
|
||||
- /etc/init.d/ntpd
|
||||
- name: "Reboot!"
|
||||
reboot:
|
||||
|
|
2
templates/etc/apk/repositories.j2
Normal file
2
templates/etc/apk/repositories.j2
Normal file
|
@ -0,0 +1,2 @@
|
|||
http://dl-cdn.alpinelinux.org/alpine/v{{ alpine_version }}/main
|
||||
http://dl-cdn.alpinelinux.org/alpine/v{{ alpine_version }}/community
|
14
templates/etc/conf.d/ip6tables.j2
Normal file
14
templates/etc/conf.d/ip6tables.j2
Normal file
|
@ -0,0 +1,14 @@
|
|||
# /etc/conf.d/ip6tables
|
||||
|
||||
# Location in which ip6tables initscript will save set rules on
|
||||
# service shutdown
|
||||
IP6TABLES_SAVE="/etc/iptables/rules6-save"
|
||||
|
||||
# Options to pass to ip6tables-save and ip6tables-restore
|
||||
SAVE_RESTORE_OPTIONS="-c"
|
||||
|
||||
# Save state on stopping iptables
|
||||
SAVE_ON_STOP="no"
|
||||
|
||||
# Enable/disable IPv6 forwarding with the rules
|
||||
IPFORWARD="no"
|
14
templates/etc/conf.d/iptables.j2
Normal file
14
templates/etc/conf.d/iptables.j2
Normal file
|
@ -0,0 +1,14 @@
|
|||
# /etc/conf.d/iptables
|
||||
|
||||
# Location in which iptables initscript will save set rules on
|
||||
# service shutdown
|
||||
IPTABLES_SAVE="/etc/iptables/rules-save"
|
||||
|
||||
# Options to pass to iptables-save and iptables-restore
|
||||
SAVE_RESTORE_OPTIONS="-c"
|
||||
|
||||
# Save state on stopping iptables
|
||||
SAVE_ON_STOP="no"
|
||||
|
||||
# Enable/disable IPv4 forwarding with the rules
|
||||
IPFORWARD="no"
|
1
templates/etc/conf.d/tinc.networks.j2
Normal file
1
templates/etc/conf.d/tinc.networks.j2
Normal file
|
@ -0,0 +1 @@
|
|||
NETWORK: ekumen
|
5
templates/etc/fstab.j2
Normal file
5
templates/etc/fstab.j2
Normal file
|
@ -0,0 +1,5 @@
|
|||
{{disk_device}}2 / btrfs compress=zstd,noatime,nodiratime,lazytime,discard 0 1
|
||||
{{disk_device}}1 /boot ext2 noatime,nodiratime,lazytime,ro 0 2
|
||||
/dev/mapper/srv /srv btrfs compress=zstd,noatime,nodiratime,lazytime,discard,noauto 0 2
|
||||
tmpfs /var/log tmpfs defaults 0 0
|
||||
/srv/docker /var/lib/docker none bind 0 0
|
20
templates/etc/init.d/ntpd.j2
Executable file
20
templates/etc/init.d/ntpd.j2
Executable file
|
@ -0,0 +1,20 @@
|
|||
#!/sbin/openrc-run
|
||||
|
||||
DAEMON="/usr/sbin/ntpd"
|
||||
PIDFILE="/var/run/ntpd.pid"
|
||||
|
||||
depend() {
|
||||
need net
|
||||
}
|
||||
|
||||
start() {
|
||||
ebegin "Starting NTPSec"
|
||||
start-stop-daemon --start --exec "${DAEMON}" --pidfile "${PIDFILE}"
|
||||
eend $?
|
||||
}
|
||||
|
||||
stop() {
|
||||
ebegin "Stopping NTPSec"
|
||||
start-stop-daemon --stop --pidfile "${PIDFILE}"
|
||||
eend $?
|
||||
}
|
|
@ -6,7 +6,8 @@
|
|||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
|
||||
-A INPUT -p udp -m conntrack ! --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
|
||||
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack ! --ctstate NEW -j REJECT --reject-with tcp-reset
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A INPUT -p udp --dport 65000 -j ACCEPT
|
||||
-A INPUT -p tcp --dport 65000 -j ACCEPT
|
||||
COMMIT
|
|
@ -7,7 +7,10 @@
|
|||
-A INPUT -m conntrack --ctstate INVALID -j DROP
|
||||
-A INPUT -p icmpv6 -j ACCEPT
|
||||
-A FORWARD -p icmpv6 -j ACCEPT
|
||||
-A INPUT -p udp -m conntrack ! --ctstate NEW -j REJECT --reject-with icmp6-port-unreachable
|
||||
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack ! --ctstate NEW -j REJECT --reject-with tcp-reset
|
||||
-A INPUT -i lo -j ACCEPT
|
||||
{% if ip6 is defined %}
|
||||
-A INPUT -p tcp --dport 22 -j ACCEPT
|
||||
-A INPUT -p udp --dport 65000 -j ACCEPT
|
||||
-A INPUT -p tcp --dport 65000 -j ACCEPT
|
||||
{% endif %}
|
||||
COMMIT
|
4
templates/etc/modules.j2
Normal file
4
templates/etc/modules.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
af_packet
|
||||
ipv6
|
||||
btrfs
|
||||
tun
|
5
templates/etc/ntp.conf
Normal file
5
templates/etc/ntp.conf
Normal file
|
@ -0,0 +1,5 @@
|
|||
pool pool.ntp.org
|
||||
driftfile /var/lib/ntp/ntp.drift
|
||||
restrict default kod limited nomodify nopeer noquery
|
||||
restrict 127.0.0.1
|
||||
restrict ::1
|
73
templates/etc/syslog-ng/syslog-ng.conf.j2
Normal file
73
templates/etc/syslog-ng/syslog-ng.conf.j2
Normal file
|
@ -0,0 +1,73 @@
|
|||
@version:3.36
|
||||
@include "scl.conf"
|
||||
|
||||
# syslog-ng configuration file.
|
||||
#
|
||||
# See syslog-ng(8) and syslog-ng.conf(5) for more information.
|
||||
#
|
||||
# Note: It also sources additional configuration files (*.conf)
|
||||
# located in /etc/syslog-ng/conf.d/.
|
||||
|
||||
#
|
||||
# Options
|
||||
#
|
||||
options {
|
||||
# Create destination directories if missing.
|
||||
create_dirs(yes);
|
||||
|
||||
# The default action of syslog-ng is to log a MARK line to the file every
|
||||
# 20 minutes. That's seems high for most people so turn it down to once an
|
||||
# hour. Set it to zero if you don't want the functionality at all.
|
||||
mark_freq(3600);
|
||||
|
||||
# The default action of syslog-ng is to log a STATS line to the file every
|
||||
# 10 minutes. That's pretty ugly after a while. Change it to every 12 hours
|
||||
# so you get a nice daily update of how many messages syslog-ng missed (0).
|
||||
stats_freq(43200);
|
||||
|
||||
# Time to wait before a died connection is re-established (default is 60).
|
||||
time_reopen(5);
|
||||
|
||||
# Disable DNS usage.
|
||||
# syslog-ng blocks on DNS queries, so enabling DNS may lead to a DoS attack.
|
||||
use_dns(no);
|
||||
dns-cache(no);
|
||||
|
||||
# Default owner, group, and permissions for log files.
|
||||
owner(root);
|
||||
group(adm);
|
||||
perm(0640);
|
||||
|
||||
# Default permissions for created directories.
|
||||
dir_perm(0755);
|
||||
|
||||
keep_hostname(yes);
|
||||
};
|
||||
|
||||
|
||||
#
|
||||
# Templates
|
||||
#
|
||||
|
||||
template t_file {
|
||||
template("${YEAR}-${MONTH}-${DAY} ${HOUR}:${MIN}:${SEC} ${LEVEL} ${MSGHDR}${MSG}\n");
|
||||
};
|
||||
|
||||
|
||||
#
|
||||
# Sources
|
||||
#
|
||||
|
||||
source s_sys {
|
||||
# Standard system log source.
|
||||
system();
|
||||
|
||||
# Messages generated by syslog-ng.
|
||||
internal();
|
||||
};
|
||||
|
||||
destination d_loghost { udp("{{ log_server }}" port(514)); };
|
||||
log { source(s_sys); destination(d_loghost); };
|
||||
|
||||
# Source additional configuration files (.conf extension only)
|
||||
@include "/etc/syslog-ng/conf.d/*.conf"
|
|
@ -1,4 +0,0 @@
|
|||
{{disk_device}}2 / btrfs compress=zstd,noatime,nodiratime,lazytime,discard,ro 0 1
|
||||
{{disk_device}}1 /boot ext2 noatime,nodiratime,lazytime,ro 0 2
|
||||
/dev/mapper/srv /srv btrfs compress=zstd,noatime,nodiratime,lazytime,discard,noauto 0 2
|
||||
tmpfs /var/log tmpfs defaults 0 0
|
|
@ -1,2 +0,0 @@
|
|||
http://dl-cdn.alpinelinux.org/alpine/v3.15/main
|
||||
http://dl-cdn.alpinelinux.org/alpine/v3.15/community
|
Loading…
Reference in a new issue