antoine/visio_nrd
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Resolve "execution des roles plus flexible"

Browse Source
This commit is contained in:
Antoine Ouvrard
2020-04-20 21:00:38 +02:00
parent 465876051e
commit dd883c8c1a
18 changed files with 106 additions and 170 deletions
Download Patch File Download Diff File Expand all files Collapse all files
roles/jitsi-pre-install/files/fail2ban-override.conf
+7
View File
@@ -0,0 +1,7 @@
[Unit]
After=nftables.service
PartOf=nftables.service
[Service]
ExecStartPre=nft add table inet filter
ExecStartPre=nft add chain inet filter input { type filter hook input priority 0; policy accept; }
roles/jitsi-pre-install/files/jail.conf
+10
View File
@@ -0,0 +1,10 @@
[DEFAULT]
backend = systemd
banaction = nftables-multiport
# 92.154.111.181 - IP des bureaux de nereide
ignoreip = 127.0.0.1 92.154.111.181
findtime = 1h
bantime = 1d
maxretry = 3
roles/jitsi-pre-install/files/nftables.conf
+35
View File
@@ -0,0 +1,35 @@
#!/usr/sbin/nftables -f
flush ruleset
# family `inet` c'est pour ipv4/ipv6
table inet myfilter {
chain myglobal {
# par défaut on accepte tous les paquets entrant
type filter hook input priority 0; policy accept;
# accepte les ping (mais pas plus de 1 par seconde)
ip protocol icmp icmp type { echo-request, echo-reply } limit rate 1/second accept
ip protocol icmp icmp type { echo-request, echo-reply } drop
ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply } limit rate 1/second accept
ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply } drop
# on accepte tout le reste du traffic icmp
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
# accepte le traffic qui vient de nous
ct state established,related accept
ct state invalid drop
# accepte le traffic localhost
iif lo accept
# accepte tout le traffic ssh peut importe l'origine
tcp dport 22 accept
# accepte le traffic tcp depuis le reste du monde si la cible est un des ports http, https, smtp
tcp dport {80, 443} accept
# ouvre les port udp I/O 10000 et 44446 pour jitsi
udp dport {10000, 4446} accept
udp sport {10000, 4446} accept
# count and drop any other traffic
counter drop
}
}
roles/jitsi-pre-install/handlers/main.yml
+13
View File
@@ -0,0 +1,13 @@
---
- name: restart fail2ban
systemd:
name: fail2ban
state: restarted
daemon_reload: true
enabled: true
- name: restart nftables
systemd:
name: nftables
state: restarted
enabled: true
roles/jitsi-pre-install/tasks/main.yml
+63
View File
@@ -0,0 +1,63 @@
---
- name: Installation de fail2ban, nftables, gnupg2, apt-transport-https
apt:
name:
- fail2ban
- nftables
- gnupg2
- apt-transport-https
update_cache: true
state: present
- name: Appliquation des règles de ban ssh
template:
src: ../files/jail.conf
dest: /etc/fail2ban/jail.d/jail.conf
notify:
- restart fail2ban
- name: Création du répertoire pour la surcharge systemd
file:
name: /etc/systemd/system/fail2ban.service.d
state: directory
- name: Règle de base pour nftables
template:
src: ../files/fail2ban-override.conf
dest: /etc/systemd/system/fail2ban.service.d/override.conf
- name: Déploiement des règles nftables (base)
tags:
- nftables
template:
src: ../files/nftables.conf
dest: /etc/nftables.conf
notify:
- restart nftables
- restart fail2ban
- name: Ajout de la clé GPG pour le depot jitsi
apt_key:
url: http://download.jitsi.org/jitsi-key.gpg.key
- name: Ajout du depot jitsi
apt_repository:
repo: deb https://download.jitsi.org stable/
- name: apt update
apt:
update_cache: true
- name: Application du hostname avant installation
debconf:
name: jitsi-meet-web-config
question: jitsi-videobridge/jvb-hostname
value: '{{ inventory_hostname }}'
vtype: string
- name: On veut un certificat autogénéré
debconf:
name: jitsi-meet-web-config
question: jitsi-meet/cert-choice
value: "Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)"
vtype: string