diff --git a/roles/auth/handlers/main.yml b/roles/auth/handlers/main.yml new file mode 100644 index 0000000..eae2482 --- /dev/null +++ b/roles/auth/handlers/main.yml @@ -0,0 +1,18 @@ +--- +- name: restart prosody + systemd: + name: prosody + state: restarted + enabled: true + +- name: restart jicofo + systemd: + name: jicofo + state: restarted + enabled: true + +- name: restart jitsi-videobridge2 + systemd: + name: jitsi-videobridge2 + state: restarted + enabled: true diff --git a/roles/auth/tasks/main.yml b/roles/auth/tasks/main.yml index cc09d6c..5ba91fc 100644 --- a/roles/auth/tasks/main.yml +++ b/roles/auth/tasks/main.yml @@ -4,6 +4,8 @@ path: /etc/prosody/conf.d/{{ inventory_hostname }}.cfg.lua regexp: 'authentication = "anonymous"' replace: 'authentication = "internal_plain"' + notify: + - restart prosody - name: Conf Jitsi - Activation de l'authentification prosody 2/2 blockinfile: @@ -13,27 +15,26 @@ VirtualHost "guest.{{ inventory_hostname }}" authentication = "anonymous" c2s_require_encryption = false + notify: + - restart prosody - name: Conf Jitsi - Activation de l'authentification jitsi lineinfile: path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js insertafter: "[^?]// anonymousdomain: 'guest.example.com'" line: " anonymousdomain: 'guest.{{ inventory_hostname }}'," + notify: + - restart jitsi-videobridge2 - name: Conf Jitsi - Activation de l'authentification jicofo lineinfile: path: /etc/jitsi/jicofo/sip-communicator.properties insertafter: "^org.jitsi.jicofo.BRIDGE_MUC=*" line: "org.jitsi.jicofo.auth.URL=XMPP:{{ inventory_hostname }}" + notify: + - restart jicofo - name: Conf Jitsi - Création de l'utilisateur prosody - shell: prosodyctl register {{ jitsi_user }} {{ inventory_hostname }} {{ jitsi_pass }} - -- name: Redémarrage des services - systemd: - name: '{{ item }}.service' - state: restarted - with_items: - - prosody - - jicofo - - jitsi-videobridge2 + command: prosodyctl register {{ jitsi_user }} {{ inventory_hostname }} {{ jitsi_pass }} + notify: + - restart prosody diff --git a/roles/common/files/jail.conf b/roles/common/files/jail.conf new file mode 100644 index 0000000..8f6ed60 --- /dev/null +++ b/roles/common/files/jail.conf @@ -0,0 +1,11 @@ +[DEFAULT] + +backend = systemd +banaction = nftables-multiport + +# 92.154.111.181 - IP des bureaux de nereide +# 86.244.5.54 - IP maison Antoine +ignoreip = 127.0.0.1 92.154.111.181 86.244.5.54 +findtime = 1h +bantime = 1d +maxretry = 3 \ No newline at end of file diff --git a/roles/common/files/nftables.conf b/roles/common/files/nftables.conf new file mode 100644 index 0000000..158695b --- /dev/null +++ b/roles/common/files/nftables.conf @@ -0,0 +1,36 @@ + +#!/usr/sbin/nftables -f + +flush ruleset + +# family `inet` c'est pour ipv4/ipv6 +table inet myfilter { + chain myglobal { + # par défaut on accepte tous les paquets entrant + type filter hook input priority 0; policy accept; + # accepte les ping (mais pas plus de 1 par seconde) + ip protocol icmp icmp type { echo-request, echo-reply } limit rate 1/second accept + ip protocol icmp icmp type { echo-request, echo-reply } drop + ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply } limit rate 1/second accept + ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply } drop + # on accepte tout le reste du traffic icmp + ip protocol icmp accept + ip6 nexthdr icmpv6 accept + # accepte le traffic qui vient de nous + ct state established,related accept + ct state invalid drop + # accepte le traffic localhost + iif lo accept + # accepte tout le traffic ssh peut importe l'origine + tcp dport 22 accept + # abandonne le traffic depuis le réseau local + ip saddr 10.0.0.0/8 drop + ip6 saddr { fe80::/10, fc00::/7 } drop + # accepte le traffic tcp depuis le reste du monde si la cible est un des ports http, https, smtp + tcp dport {25, 80, 443} accept + + # count and drop any other traffic + counter drop + } + +} \ No newline at end of file diff --git a/roles/common/files/service-override.conf b/roles/common/files/service-override.conf new file mode 100644 index 0000000..def406c --- /dev/null +++ b/roles/common/files/service-override.conf @@ -0,0 +1,3 @@ +[Service] +ExecStartPre=nft add table inet filter +ExecStartPre=nft add chain inet filter input { type filter hook input priority 0; policy accept; } diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml new file mode 100644 index 0000000..5ab8a34 --- /dev/null +++ b/roles/common/handlers/main.yml @@ -0,0 +1,13 @@ +--- +- name: restart fail2ban + systemd: + name: fail2ban + state: restarted + daemon_reload: true + enabled: true + +- name: reload nftables + systemd: + name: nftables + state: reload + enabled: true diff --git a/roles/common/tasks/jitsi_conf.yml b/roles/common/tasks/jitsi_conf.yml new file mode 100644 index 0000000..267dc51 --- /dev/null +++ b/roles/common/tasks/jitsi_conf.yml @@ -0,0 +1,44 @@ +--- +- name: Configuration de let's encrypt + script: files/jitsi-letsencrypt.sh > jitsi-letsencrypt.log + +- name: Conf Jitsi - UI en fr + lineinfile: + path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js + insertafter: "[^?]// defaultLanguage: 'en'" + line: " defaultLanguage: 'fr'," + +- name: Conf Jitsi - webcam en qualité medium par defaut 1/2 + lineinfile: + path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js + insertafter: "[^?]// resolution: 720" + line: " resolution: 360," + +- name: Conf Jitsi - webcam en qualité medium par defaut 2/2 + blockinfile: + path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js + marker: "// {mark} ANSIBLE MANAGED BLOCK" + insertafter: "// ratio of 16:9 with an ideal resolution of 720." + block: | + constraints: { + video: { + aspectRatio: 16 / 9, + height: { + ideal: 360, + max: 360, + min: 240 + } + } + }, + +- name: Conf Jitsi - Désactive l'effet floutage d'arrière plan + replace: + path: /usr/share/jitsi-meet/interface_config.js + regexp: "'videobackgroundblur'," + replace: "" + +- name: Conf Jitsi - Active une alerte pour les utilisateurs de Firefox + replace: + path: /usr/share/jitsi-meet/interface_config.js + regexp: "'firefox'," + replace: "" diff --git a/roles/common/tasks/jitsi_install.yml b/roles/common/tasks/jitsi_install.yml new file mode 100644 index 0000000..e22c5ba --- /dev/null +++ b/roles/common/tasks/jitsi_install.yml @@ -0,0 +1,30 @@ +--- +- name: Ajout de la clé GPG pour le depot jitsi + apt_key: + url: https://download.jitsi.org/jitsi-key.gpg.key + +- name: Ajout du depot jitsi + apt_repository: + repo: deb https://download.jitsi.org stable/ + +- name: apt update + apt: + update_cache: true + +- name: Application du hostname avant installation + debconf: + name: jitsi-meet-web-config + question: jitsi-videobridge/jvb-hostname + value: '{{ inventory_hostname }}' + vtype: string + +- name: On veut un certificat autogénéré + debconf: + name: jitsi-meet-web-config + question: jitsi-meet/cert-choice + value: "Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)" + vtype: string + +- name: installation de jitsi + apt: + name: jitsi-meet diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 31a9306..37a9ed7 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,74 +1,4 @@ --- -- name: Ajout de la clé GPG pour le depot jitsi - apt_key: - url: https://download.jitsi.org/jitsi-key.gpg.key - -- name: Ajout du depot jitsi - apt_repository: - repo: deb https://download.jitsi.org stable/ - -- name: apt update - apt: - update_cache: true - -- name: Application du hostname avant installation - debconf: - name: jitsi-meet-web-config - question: jitsi-videobridge/jvb-hostname - value: '{{ inventory_hostname }}' - vtype: string - -- name: On veut un certificat autogénéré - debconf: - name: jitsi-meet-web-config - question: jitsi-meet/cert-choice - value: "Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)" - vtype: string - -- name: installation de jitsi - apt: - name: jitsi-meet - -- name: Configuration de let's encrypt - script: files/jitsi-letsencrypt.sh > jitsi-letsencrypt.log - -- name: Conf Jitsi - UI en fr - lineinfile: - path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js - insertafter: "[^?]// defaultLanguage: 'en'" - line: " defaultLanguage: 'fr'," - -- name: Conf Jitsi - webcam en qualité medium par defaut 1/2 - lineinfile: - path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js - insertafter: "[^?]// resolution: 720" - line: " resolution: 360," - -- name: Conf Jitsi - webcam en qualité medium par defaut 2/2 - blockinfile: - path: /etc/jitsi/meet/{{ inventory_hostname }}-config.js - marker: "// {mark} ANSIBLE MANAGED BLOCK" - insertafter: "// ratio of 16:9 with an ideal resolution of 720." - block: | - constraints: { - video: { - aspectRatio: 16 / 9, - height: { - ideal: 360, - max: 360, - min: 240 - } - } - }, - -- name: Conf Jitsi - Désactive l'effet floutage d'arrière plan - replace: - path: /usr/share/jitsi-meet/interface_config.js - regexp: "'videobackgroundblur'," - replace: "" - -- name: Conf Jitsi - Active une alerte pour les utilisateurs de Firefox - replace: - path: /usr/share/jitsi-meet/interface_config.js - regexp: "'firefox'," - replace: "" +- include_tasks: sys_conf.yml +- include_tasks: jitsi_install.yml +- include_tasks: jitsi_conf.yml diff --git a/roles/common/tasks/sys_conf.yml b/roles/common/tasks/sys_conf.yml new file mode 100644 index 0000000..bf541a5 --- /dev/null +++ b/roles/common/tasks/sys_conf.yml @@ -0,0 +1,32 @@ +--- +- name: Installation de fail2ban + apt: + name: fail2ban + +- name: Appliquation des règles de ban + template: + src: ../files/jail.conf + dest: /etc/fail2ban/jail.d/jail.conf + notify: + - restart fail2ban + +- name: Création du répertoire pour la surcharge systemd + file: + name: /etc/systemd/system/fail2ban.service.d + state: directory + +- name: Règle de base pour nftables + template: + src: ../files/service-override.conf + dest: /etc/systemd/system/fail2ban.service.d/override.conf + notify: + - restart fail2ban + +- name: Déploiement des règles nftables (base) + tags: + - nftables + template: + src: ../files/nftables.conf + dest: /etc/nftables.conf + notify: + - reload nftables