ajout du firewall et fail2ban

roles/auth/handlers/main.yml

@@ -0,0 +1,18 @@
+---
+- name: restart prosody
+  systemd:
+    name: prosody
+    state: restarted
+    enabled: true
+
+- name: restart jicofo
+  systemd:
+    name: jicofo
+    state: restarted
+    enabled: true
+
+- name: restart jitsi-videobridge2
+  systemd:
+    name: jitsi-videobridge2
+    state: restarted
+    enabled: true

roles/auth/tasks/main.yml

@@ -4,6 +4,8 @@
     path: /etc/prosody/conf.d/{{ inventory_hostname }}.cfg.lua
     regexp: 'authentication = "anonymous"'
     replace: 'authentication = "internal_plain"'
+  notify:
+    - restart prosody
 
 - name:  Conf Jitsi - Activation de l'authentification prosody 2/2
   blockinfile:
@@ -13,27 +15,26 @@
       VirtualHost "guest.{{ inventory_hostname }}"
           authentication = "anonymous"
           c2s_require_encryption = false
+  notify:
+    - restart prosody
 
 - name: Conf Jitsi - Activation de l'authentification jitsi
   lineinfile:
     path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js
     insertafter: "[^?]// anonymousdomain: 'guest.example.com'"
     line: "        anonymousdomain: 'guest.{{ inventory_hostname }}',"
+  notify:
+    - restart jitsi-videobridge2
 
 - name: Conf Jitsi - Activation de l'authentification jicofo
   lineinfile:
     path: /etc/jitsi/jicofo/sip-communicator.properties
     insertafter: "^org.jitsi.jicofo.BRIDGE_MUC=*"
     line: "org.jitsi.jicofo.auth.URL=XMPP:{{ inventory_hostname }}"
+  notify:
+    - restart jicofo
 
 - name: Conf Jitsi - Création de l'utilisateur prosody
-  shell: prosodyctl register {{ jitsi_user }} {{ inventory_hostname }} {{ jitsi_pass }}
-
-- name: Redémarrage des services
-  systemd:
-    name: '{{ item }}.service'
-    state: restarted
-  with_items:
-    - prosody
-    - jicofo
-    - jitsi-videobridge2
+  command: prosodyctl register {{ jitsi_user }} {{ inventory_hostname }} {{ jitsi_pass }}
+  notify:
+    - restart prosody

roles/common/files/jail.conf

@@ -0,0 +1,11 @@
+[DEFAULT]
+
+backend = systemd
+banaction = nftables-multiport
+
+# 92.154.111.181 - IP des bureaux de nereide
+# 86.244.5.54 - IP maison Antoine
+ignoreip = 127.0.0.1 92.154.111.181 86.244.5.54
+findtime = 1h
+bantime = 1d
+maxretry = 3

roles/common/files/nftables.conf

@@ -0,0 +1,36 @@
+
+#!/usr/sbin/nftables -f
+
+flush ruleset
+
+# family `inet` c'est pour ipv4/ipv6
+table inet myfilter {
+        chain myglobal {
+                # par défaut on accepte tous les paquets entrant
+                type filter hook input priority 0; policy accept;
+                # accepte les ping (mais pas plus de 1 par seconde)
+                ip protocol icmp icmp type { echo-request, echo-reply } limit rate 1/second accept
+                ip protocol icmp icmp type { echo-request, echo-reply } drop
+                ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply } limit rate 1/second accept
+                ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply } drop
+                # on accepte tout le reste du traffic icmp
+                ip protocol icmp accept
+                ip6 nexthdr icmpv6 accept
+                # accepte le traffic qui vient de nous
+                ct state established,related accept
+                ct state invalid drop
+                # accepte le traffic localhost
+                iif lo accept
+                # accepte tout le traffic ssh peut importe l'origine
+                tcp dport 22 accept
+                # abandonne le traffic depuis le réseau local
+                ip saddr 10.0.0.0/8 drop
+                ip6 saddr { fe80::/10, fc00::/7 } drop
+                # accepte le traffic tcp depuis le reste du monde si la cible est un des ports http, https, smtp
+                tcp dport {25, 80, 443} accept
+                
+                # count and drop any other traffic
+                counter drop
+        }
+
+}

roles/common/files/service-override.conf

@@ -0,0 +1,3 @@
+[Service]
+ExecStartPre=nft add table inet filter
+ExecStartPre=nft add chain inet filter input { type filter hook input priority 0; policy accept; }

roles/common/handlers/main.yml

@@ -0,0 +1,13 @@
+---
+- name: restart fail2ban
+  systemd:
+    name: fail2ban
+    state: restarted
+    daemon_reload: true
+    enabled: true
+
+- name: reload nftables
+  systemd:
+    name: nftables
+    state: reload
+    enabled: true

roles/common/tasks/jitsi_conf.yml

@@ -0,0 +1,44 @@
+---
+- name: Configuration de let's encrypt
+  script: files/jitsi-letsencrypt.sh > jitsi-letsencrypt.log
+
+- name: Conf Jitsi - UI en fr
+  lineinfile:
+    path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js
+    insertafter: "[^?]// defaultLanguage: 'en'"
+    line: "    defaultLanguage: 'fr',"
+
+- name: Conf Jitsi - webcam en qualité medium par defaut 1/2
+  lineinfile:
+    path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js
+    insertafter: "[^?]// resolution: 720"
+    line: "    resolution: 360,"
+
+- name:  Conf Jitsi - webcam en qualité medium par defaut 2/2
+  blockinfile:
+    path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js
+    marker: "// {mark} ANSIBLE MANAGED BLOCK"
+    insertafter: "// ratio of 16:9 with an ideal resolution of 720."
+    block: |
+        constraints: {
+          video: {
+            aspectRatio: 16 / 9,
+            height: {
+              ideal: 360,
+              max: 360,
+              min: 240
+            }
+          }
+        },
+
+- name: Conf Jitsi - Désactive l'effet floutage d'arrière plan
+  replace:
+    path: /usr/share/jitsi-meet/interface_config.js
+    regexp: "'videobackgroundblur',"
+    replace: ""
+
+- name: Conf Jitsi - Active une alerte pour les utilisateurs de Firefox
+  replace:
+    path: /usr/share/jitsi-meet/interface_config.js
+    regexp: "'firefox',"
+    replace: ""

roles/common/tasks/jitsi_install.yml

@@ -0,0 +1,30 @@
+---
+- name: Ajout de la clé GPG pour le depot jitsi
+  apt_key:
+    url: https://download.jitsi.org/jitsi-key.gpg.key
+
+- name: Ajout du depot jitsi
+  apt_repository:
+    repo: deb https://download.jitsi.org stable/
+
+- name: apt update
+  apt:
+    update_cache: true
+
+- name: Application du hostname avant installation
+  debconf:
+    name: jitsi-meet-web-config
+    question: jitsi-videobridge/jvb-hostname
+    value: '{{ inventory_hostname }}'
+    vtype: string
+
+- name: On veut un certificat autogénéré
+  debconf:
+    name: jitsi-meet-web-config
+    question: jitsi-meet/cert-choice
+    value: "Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)"
+    vtype: string
+
+- name: installation de jitsi
+  apt:
+    name: jitsi-meet

roles/common/tasks/main.yml

@@ -1,74 +1,4 @@
 ---
-- name: Ajout de la clé GPG pour le depot jitsi
-  apt_key:
-    url: https://download.jitsi.org/jitsi-key.gpg.key
-
-- name: Ajout du depot jitsi
-  apt_repository:
-    repo: deb https://download.jitsi.org stable/
-
-- name: apt update
-  apt:
-    update_cache: true
-
-- name: Application du hostname avant installation
-  debconf:
-    name: jitsi-meet-web-config
-    question: jitsi-videobridge/jvb-hostname
-    value: '{{ inventory_hostname }}'
-    vtype: string
-
-- name: On veut un certificat autogénéré
-  debconf:
-    name: jitsi-meet-web-config
-    question: jitsi-meet/cert-choice
-    value: "Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)"
-    vtype: string
-
-- name: installation de jitsi
-  apt:
-    name: jitsi-meet
-
-- name: Configuration de let's encrypt
-  script: files/jitsi-letsencrypt.sh > jitsi-letsencrypt.log
-
-- name: Conf Jitsi - UI en fr
-  lineinfile:
-    path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js
-    insertafter: "[^?]// defaultLanguage: 'en'"
-    line: "    defaultLanguage: 'fr',"
-
-- name: Conf Jitsi - webcam en qualité medium par defaut 1/2
-  lineinfile:
-    path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js
-    insertafter: "[^?]// resolution: 720"
-    line: "    resolution: 360,"
-
-- name:  Conf Jitsi - webcam en qualité medium par defaut 2/2
-  blockinfile:
-    path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js
-    marker: "// {mark} ANSIBLE MANAGED BLOCK"
-    insertafter: "// ratio of 16:9 with an ideal resolution of 720."
-    block: |
-        constraints: {
-          video: {
-            aspectRatio: 16 / 9,
-            height: {
-              ideal: 360,
-              max: 360,
-              min: 240
-            }
-          }        
-        },
-
-- name: Conf Jitsi - Désactive l'effet floutage d'arrière plan
-  replace:
-    path: /usr/share/jitsi-meet/interface_config.js
-    regexp: "'videobackgroundblur',"
-    replace: ""
-
-- name: Conf Jitsi - Active une alerte pour les utilisateurs de Firefox
-  replace:
-    path: /usr/share/jitsi-meet/interface_config.js
-    regexp: "'firefox',"
-    replace: ""
+- include_tasks: sys_conf.yml
+- include_tasks: jitsi_install.yml
+- include_tasks: jitsi_conf.yml

roles/common/tasks/sys_conf.yml

@@ -0,0 +1,32 @@
+---
+- name: Installation de fail2ban
+  apt:
+    name: fail2ban
+
+- name: Appliquation des règles de ban
+  template:
+    src: ../files/jail.conf
+    dest: /etc/fail2ban/jail.d/jail.conf
+  notify:
+    - restart fail2ban
+
+- name: Création du répertoire pour la surcharge systemd
+  file:
+    name: /etc/systemd/system/fail2ban.service.d
+    state: directory
+
+- name: Règle de base pour nftables
+  template:
+    src: ../files/service-override.conf
+    dest: /etc/systemd/system/fail2ban.service.d/override.conf
+  notify:
+    - restart fail2ban
+
+- name: Déploiement des règles nftables (base)
+  tags:
+    - nftables
+  template:
+    src: ../files/nftables.conf
+    dest: /etc/nftables.conf
+  notify:
+    - reload nftables