interconnect servers through the ekumen

otherwise services can't start

.gitignore

@@ -1 +1,2 @@
 vault.key
+ekumen/

README.md

@@ -100,7 +100,20 @@ ssh-copy-id root@your.host.name
 
 ## Configuring the playbook
 
-Create a vault password:
+### General configuration
+
+#### Syslog
+
+Syslog-ng is used to centralize logging into a single node.  Edit the IP
+address for your log server on `alpines.yml`:
+
+```yaml
+   vars:
+-    log_server: "EKU:MEN:IP:ADD::RESS"
++    log_server: "10.13.12.1"
+```
+
+### Create a vault password
 
 ```bash
 make vault.key

alpines.yml

@@ -5,6 +5,7 @@
   vars:
     alpine_version: 3.16
     apk_version: 2.12.9-r3
+    log_server: "EKU:MEN:IP:ADD::RESS"
     packages:
     - alpine-base
     - linux-virt
@@ -24,6 +25,7 @@
     - tinc
     - prometheus-node-exporter
     - prometheus-node-exporter-openrc
+    - ntpsec
   tasks:
   - include_tasks: "tasks/partition.yml"
   - include_tasks: "tasks/encrypt.yml"

dockers.yml

@@ -5,3 +5,4 @@
   tasks:
   - include_tasks: "tasks/encrypt.yml"
   - include_tasks: "tasks/docker.yml"
+  - include_tasks: "tasks/ekumen.yml"

tasks/bootloader.yml

@@ -1,14 +1,14 @@
 ---
 - name: "Install syslinux bootloader"
   template:
-    src: "templates/update-extlinux.conf.j2"
+    src: "templates/etc/update-extlinux.conf.j2"
     dest: "/mnt/etc/update-extlinux.conf"
     mode: "0644"
-- name: "Update configuration"
-  shell: "PATH=/usr/bin:/usr/sbin:/bin:/sbin chroot /mnt /sbin/update-extlinux"
 - name: "Install bootloader in MBR.  This is how `setup-disk` does it."
   shell: "cat /mnt/usr/share/syslinux/mbr.bin > {{ disk_device }}"
 - name: "Install syslinux configuration into /boot using chroot."
   shell: "PATH=/usr/bin:/usr/sbin:/bin:/sbin chroot /mnt /sbin/extlinux --install /boot"
+- name: "Update configuration"
+  shell: "PATH=/usr/bin:/usr/sbin:/bin:/sbin chroot /mnt /sbin/update-extlinux"
 - name: "Generate initramfs."
   shell: "PATH=/usr/bin:/usr/sbin:/bin:/sbin chroot /mnt /bin/sh -c 'ls /lib/modules | xargs /sbin/mkinitfs -K'"

tasks/docker.yml

@@ -1,4 +1,9 @@
 ---
+# TODO: Use a BTRFS subvolume instead?
+- name: "Mount encrypted partition to /srv."
+  shell: "mount /srv"
+  args:
+    creates: "/srv/docker"
 - name: "Prepare /srv to encrypt Docker files."
   file:
     state: "directory"
@@ -7,11 +12,6 @@
   - "/srv/docker"
   - "/var/lib/docker"
 - name: "Bind mount /srv/docker to /var/lib/docker."
-  mount:
-    state: "mounted"
-    src: "/srv/docker"
-    path: "/var/lib/docker"
-    opts: "bind"
-    fstype: "none"
+  shell: "mount /var/lib/docker"
 - name: "Start Docker service."
   shell: "/etc/init.d/docker start"

tasks/install.yml

@@ -9,7 +9,7 @@
     creates: "/mnt/etc/apk/keys"
 - name: "Enable repositories."
   template:
-    src: "templates/repositories.j2"
+    src: "templates/etc/apk/repositories.j2"
     dest: "/mnt/etc/apk/repositories"
     mode: "0600"
 - name: "Install packages with signature verification.  Update if already present."
@@ -17,14 +17,17 @@
   loop: "{{ packages }}"
 - name: "Tell Alpine how to mount partitions after boot."
   template:
-    src: "templates/fstab.j2"
+    src: "templates/etc/fstab.j2"
     dest: "/mnt/etc/fstab"
     mode: "0755"
-- name: "Load BTRFS module on boot"
-  shell: "grep -q btrfs /mnt/etc/modules || echo btrfs >> /mnt/etc/modules"
+- name: "Load modules on boot"
+  template:
+    src: "templates/etc/modules.j2"
+    dest: "/mnt/etc/modules"
+    mode: "0640"
 - name: "And which features to include into initramfs."
   template:
-    src: "templates/mkinitfs.conf.j2"
+    src: "templates/etc/mkinitfs/mkinitfs.conf.j2"
     dest: "/mnt/etc/mkinitfs/mkinitfs.conf"
     mode: "0750"
 - name: "Copy SSH host keys from the live system."
@@ -44,11 +47,11 @@
     creates: "/mnt/root/.ssh/authorized_keys"
 - name: "Install network configuration."
   template:
-    src: "templates/interfaces.j2"
+    src: "templates/etc/network/interfaces.j2"
     dest: "/mnt/etc/network/interfaces"
 - name: "And DNS resolvers."
   template:
-    src: "templates/resolv.conf.j2"
+    src: "templates/etc/resolv.conf.j2"
     dest: "/mnt/etc/resolv.conf"
 - name: "Set hostname."
   shell: "echo {{ inventory_hostname }} > /etc/hostname"

tasks/post_install.yml

@@ -25,7 +25,7 @@
   - runlevel: "boot"
     service: "bootmisc"
   - runlevel: "boot"
-    service: "syslog"
+    service: "syslog-ng"
   - runlevel: "shutdown"
     service: "mount-ro"
   - runlevel: "shutdown"
@@ -34,6 +34,8 @@
     service: "savecache"
   - runlevel: "default"
     service: "networking"
+  - runlevel: "default"
+    service: "ipset"
   - runlevel: "default"
     service: "iptables"
   - runlevel: "default"
@@ -46,19 +48,35 @@
     service: "hwclock"
   - runlevel: "boot"
     service: "swclock"
-- name: "Install firewall rules."
+  - runlevel: "default"
+    service: "ntpd"
+- name: "Install configuration files."
+  template:
+    src: "templates/{{ item }}"
+    dest: "{{ item }}"
+    mode: "640"
+  loop:
+  - /etc/conf.d/iptables
+  - /etc/conf.d/ip6tables
+  - /etc/conf.d/tinc.networks
+  - /etc/iptables/rules6-save
+  - /etc/iptables/rules-save
+  - /etc/ipset.d/blocklist4
+  - /etc/ipset.d/blocklist6
+  - /etc/syslog-ng/syslog-ng.conf
+- name: "Create NTP directories."
+  file:
+    state: "directory"
+    path: "{{ item }}"
+  loop:
+  - "/var/NTP"
+  - "/var/lib/ntp"
+- name: "And services."
   template:
     src: "templates/{{ item }}.j2"
-    dest: "/mnt/etc/iptables/{{ item }}"
+    dest: "{{ item }}"
+    mode: "750"
   loop:
-  - rules-save
-  - rules6-save
-- name: "And blocklists."
-  template:
-    src: "templates/{{ item }}.j2"
-    dest: "/mnt/etc/ipset.d/{{ item }}"
-  loop:
-  - blocklist4
-  - blocklist6
+  - /etc/init.d/ntpd
 - name: "Reboot!"
   reboot:

templates/etc/apk/repositories.j2

@@ -0,0 +1,2 @@
+http://dl-cdn.alpinelinux.org/alpine/v{{ alpine_version }}/main
+http://dl-cdn.alpinelinux.org/alpine/v{{ alpine_version }}/community

templates/etc/conf.d/ip6tables.j2

@@ -0,0 +1,14 @@
+# /etc/conf.d/ip6tables
+
+# Location in which ip6tables initscript will save set rules on
+# service shutdown
+IP6TABLES_SAVE="/etc/iptables/rules6-save"
+
+# Options to pass to ip6tables-save and ip6tables-restore
+SAVE_RESTORE_OPTIONS="-c"
+
+# Save state on stopping iptables
+SAVE_ON_STOP="no"
+
+# Enable/disable IPv6 forwarding with the rules
+IPFORWARD="no"

templates/etc/conf.d/iptables.j2

@@ -0,0 +1,14 @@
+# /etc/conf.d/iptables
+
+# Location in which iptables initscript will save set rules on
+# service shutdown
+IPTABLES_SAVE="/etc/iptables/rules-save"
+
+# Options to pass to iptables-save and iptables-restore
+SAVE_RESTORE_OPTIONS="-c"
+
+# Save state on stopping iptables
+SAVE_ON_STOP="no"
+
+# Enable/disable IPv4 forwarding with the rules
+IPFORWARD="no"

templates/etc/conf.d/tinc.networks.j2

@@ -0,0 +1 @@
+NETWORK: ekumen

templates/etc/fstab.j2

@@ -0,0 +1,5 @@
+{{disk_device}}2  /               btrfs  compress=zstd,noatime,nodiratime,lazytime,discard         0  1
+{{disk_device}}1  /boot           ext2   noatime,nodiratime,lazytime,ro                            0  2
+/dev/mapper/srv   /srv            btrfs  compress=zstd,noatime,nodiratime,lazytime,discard,noauto  0  2
+tmpfs             /var/log        tmpfs  defaults                                                  0  0
+/srv/docker       /var/lib/docker none   bind                                                      0  0

templates/etc/init.d/ntpd.j2

@@ -0,0 +1,20 @@
+#!/sbin/openrc-run
+
+DAEMON="/usr/sbin/ntpd"
+PIDFILE="/var/run/ntpd.pid"
+
+depend() {
+  need net
+}
+
+start() {
+  ebegin "Starting NTPSec"
+  start-stop-daemon --start --exec "${DAEMON}" --pidfile "${PIDFILE}"
+  eend $?
+}
+
+stop() {
+  ebegin "Stopping NTPSec"
+  start-stop-daemon --stop --pidfile "${PIDFILE}"
+  eend $?
+}

templates/etc/iptables/rules-save.j2

@@ -6,7 +6,8 @@
 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
 -A INPUT -m conntrack --ctstate INVALID -j DROP
 -A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
--A INPUT -p udp -m conntrack ! --ctstate NEW -j REJECT --reject-with icmp-port-unreachable
--A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack ! --ctstate NEW -j REJECT --reject-with tcp-reset
 -A INPUT -i lo -j ACCEPT
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -p udp --dport 65000 -j ACCEPT
+-A INPUT -p tcp --dport 65000 -j ACCEPT
 COMMIT

templates/etc/iptables/rules6-save.j2

@@ -7,7 +7,10 @@
 -A INPUT -m conntrack --ctstate INVALID -j DROP
 -A INPUT -p icmpv6 -j ACCEPT
 -A FORWARD -p icmpv6 -j ACCEPT
--A INPUT -p udp -m conntrack ! --ctstate NEW -j REJECT --reject-with icmp6-port-unreachable
--A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack ! --ctstate NEW -j REJECT --reject-with tcp-reset
 -A INPUT -i lo -j ACCEPT
+{% if ip6 is defined %}
+-A INPUT -p tcp --dport 22 -j ACCEPT
+-A INPUT -p udp --dport 65000 -j ACCEPT
+-A INPUT -p tcp --dport 65000 -j ACCEPT
+{% endif %}
 COMMIT

templates/etc/modules.j2

@@ -0,0 +1,4 @@
+af_packet
+ipv6
+btrfs
+tun

templates/etc/ntp.conf

@@ -0,0 +1,5 @@
+pool pool.ntp.org
+driftfile /var/lib/ntp/ntp.drift
+restrict default kod limited nomodify nopeer noquery
+restrict 127.0.0.1
+restrict ::1

templates/etc/syslog-ng/syslog-ng.conf.j2

@@ -0,0 +1,73 @@
+@version:3.36
+@include "scl.conf"
+
+# syslog-ng configuration file.
+#
+# See syslog-ng(8) and syslog-ng.conf(5) for more information.
+#
+# Note: It also sources additional configuration files (*.conf)
+#	   located in /etc/syslog-ng/conf.d/.
+
+#
+# Options
+#
+options {
+	# Create destination directories if missing.
+	create_dirs(yes);
+
+	# The default action of syslog-ng is to log a MARK line to the file every
+	# 20 minutes. That's seems high for most people so turn it down to once an
+	# hour. Set it to zero if you don't want the functionality at all.
+	mark_freq(3600);
+
+	# The default action of syslog-ng is to log a STATS line to the file every
+	# 10 minutes. That's pretty ugly after a while. Change it to every 12 hours
+	# so you get a nice daily update of how many messages syslog-ng missed (0).
+	stats_freq(43200);
+
+	# Time to wait before a died connection is re-established (default is 60).
+	time_reopen(5);
+
+	# Disable DNS usage.
+	# syslog-ng blocks on DNS queries, so enabling DNS may lead to a DoS attack.
+	use_dns(no);
+	dns-cache(no);
+
+	# Default owner, group, and permissions for log files.
+	owner(root);
+	group(adm);
+	perm(0640);
+
+	# Default permissions for created directories.
+	dir_perm(0755);
+
+  keep_hostname(yes);
+};
+
+
+#
+# Templates
+#
+
+template t_file {
+	template("${YEAR}-${MONTH}-${DAY} ${HOUR}:${MIN}:${SEC} ${LEVEL} ${MSGHDR}${MSG}\n");
+};
+
+
+#
+# Sources
+#
+
+source s_sys {
+	# Standard system log source.
+	system();
+
+	# Messages generated by syslog-ng.
+	internal();
+};
+
+destination d_loghost { udp("{{ log_server }}" port(514)); };
+log { source(s_sys); destination(d_loghost); };
+
+# Source additional configuration files (.conf extension only)
+@include "/etc/syslog-ng/conf.d/*.conf"

templates/fstab.j2

@@ -1,4 +0,0 @@
-{{disk_device}}2  /         btrfs  compress=zstd,noatime,nodiratime,lazytime,discard,ro      0  1
-{{disk_device}}1  /boot     ext2   noatime,nodiratime,lazytime,ro                            0  2
-/dev/mapper/srv   /srv      btrfs  compress=zstd,noatime,nodiratime,lazytime,discard,noauto  0  2
-tmpfs             /var/log  tmpfs  defaults                                                  0  0

templates/repositories.j2

@@ -1,2 +0,0 @@
-http://dl-cdn.alpinelinux.org/alpine/v3.15/main
-http://dl-cdn.alpinelinux.org/alpine/v3.15/community