Skip to content
Snippets Groups Projects
Commit ff593670 authored by nimrod's avatar nimrod
Browse files

Router role. 

And playbook. Provision the ns1 host that's also the homelab router.
parent bbeb28e0
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 818 additions and 0 deletions
.pre-commit-config.yaml
+ 1
0
View file @ ff593670
...@@ -13,6 +13,7 @@ repos: ...@@ -13,6 +13,7 @@ repos:
rev: v0.14.3 rev: v0.14.3
hooks: hooks:
- id: detect-secrets - id: detect-secrets
exclude: nsd/shore\.co\.il|roles/router/vars/main\.yaml
- repo: https://github.com/adrienverge/yamllint - repo: https://github.com/adrienverge/yamllint
rev: v1.25.0 rev: v1.25.0
......
roles/router/defaults/main.yaml 0 → 100644
+ 1
0
View file @ ff593670
---
roles/router/files/bgpd.conf 0 → 100644
+ 23
0
View file @ ff593670
spamdAS="65066"
AS 65001
fib-update no # Mandatory, to not update the local routing table
group "spamd-bgp" {
remote-as $spamdAS
multihop 64
announce IPv4 none # Do not send Route Server any information
# us.bgp-spamd.net
neighbor 64.142.121.62
# eu.bgp-spamd.net
neighbor 217.31.80.170
# IPv6 eu.bgp-spamd.net
neighbor 2a00:15a8:0:100:0:d91f:50aa:1
}
# 'match' is required, to remove entries when routes are withdrawn
# This updates the <bgp-spamd-bypass> table in PF
match from group spamd-bgp community $spamdAS:42 set pftable "bgp-spamd-bypass"
roles/router/files/dhcpd.conf 0 → 100644
+ 30
0
View file @ ff593670
max-lease-time 86400;
default-lease-time 3600;
deny unknown-clients;
authoritative;
use-host-decl-names on;
subnet 192.168.3.0 netmask 255.255.255.0
{
allow unknown-clients;
option domain-name-servers 192.168.3.1;
option routers 192.168.3.1;
option domain-name "shore.co.il";
range 192.168.3.100 192.168.3.199;
host kodi
{
#hardware ethernet ac:f1:df:12:33:24;
hardware ethernet 10:c3:7b:9c:b8:fa;
fixed-address kodi.shore.co.il;
}
host ea6350
{
hardware ethernet 60:38:E0:AE:19:4A;
fixed-address ea6350.shore.co.il;
}
host host01
{
hardware ethernet C0:7C:D1:C0:02:99;
fixed-address host01.shore.co.il;
}
}
roles/router/files/hosts 0 → 100644
+ 6
0
View file @ ff593670
127.0.0.1 localhost
::1 localhost
192.168.3.1 ns1
192.168.3.11 ea6350.shore.co.il ea6350
192.168.3.12 xbmc.shore.co.il xbmc kodi.shore.co.il kodi
192.168.3.17 host01.shore.co.il host01
roles/router/files/mail/spamd.conf 0 → 100644
+ 45
0
View file @ ff593670
# $OpenBSD: spamd.conf,v 1.4 2012/05/14 16:58:46 beck Exp $
#
# spamd(8) configuration file, read by spamd-setup(8).
# See also spamd.conf(5).
#
# Configures lists for spamd(8).
#
# Strings follow getcap(3) convention escapes, other than you
# can have a bare colon (:) inside a quoted string and it
# will deal with it. See spamd-setup(8) for more details.
#
# "all" must be here, and defines the order in which lists are applied.
# Lists specified with the :white: capability apply to the previous
# list with a :black: capability.
#
# As of November 2004, a place to search for blacklists is
# http://spamlinks.net/filter-bl.htm
all:\
:uatraps:nixspam:
# University of Alberta greytrap hits.
# Addresses stay in it for 24 hours from time they misbehave.
uatraps:\
:black:\
:msg="Your address %A has sent mail to a ualberta.ca spamtrap\n\
within the last 24 hours":\
:method=http:\
:file=www.openbsd.org/spamd/traplist.gz
# Nixspam recent sources list.
# Mirrored from http://www.heise.de/ix/nixspam
nixspam:\
:black:\
:msg="Your address %A is in the nixspam list\n\
See http://www.heise.de/ix/nixspam/dnsbl_en/ for details":\
:method=http:\
:file=www.openbsd.org/spamd/nixspam.gz
# An example of a list containing addresses which should not talk to spamd.
#
#override:\
# :white:\
# :method=file:\
# :file=/var/db/override.txt:
roles/router/files/nsd/shore.co.il 0 → 100644
+ 73
0
View file @ ff593670
$TTL 1h
$ORIGIN shore.co.il.
@ IN SOA ns1 hostmaster (
2021011602
1h
5m
4w
3h )
IN NS ns1
IN NS ns4
IN A 163.172.74.36
IN TXT "v=spf1 +mx -all"
IN SPF "v=spf1 +mx -all"
IN MX 10 smtp
IN CAA 128 issue "letsencrypt.org"
ns1 IN A 62.219.131.121
IN SPF "v=spf1 -all"
IN TXT "v=spf1 -all"
ns4 IN A 163.172.74.36
IN TXT "v=spf1 -all"
IN SPF "v=spf1 -all"
smtp IN A 62.219.131.121
IN TXT "v=spf1 -all"
IN SPF "v=spf1 -all"
_imaps._tcp IN SRV 0 1 993 imap
IN TXT "v=spf1 -all"
IN SPF "v=spf1 -all"
_submission._tcp IN SRV 0 1 587 smtp
IN TXT "v=spf1 -all"
IN SPF "v=spf1 -all"
_smtp._tls IN TXT "v=TLSRPTv1;rua=mailto:postmaster@shore.co.il"
IN TXT "v=spf1 -all"
IN SPF "v=spf1 -all"
_mta-sts IN TXT "v=STSv1;id=2020072604;"
IN TXT "v=spf1 -all"
IN SPF "v=spf1 -all"
_carddavs._tcp IN SRV 0 1 443 nextcloud
IN TXT "v=spf1 -all"
IN SPF "v=spf1 -all"
_caldavs._tcp IN SRV 0 1 443 nextcloud
IN TXT "v=spf1 -all"
IN SPF "v=spf1 -all"
www IN CNAME ns4
autoconfig IN CNAME ns4
nextcloud IN CNAME ns1
git IN CNAME ns1
lam IN CNAME ns1
registry IN CNAME ns4
imap IN CNAME smtp
mta-sts IN CNAME smtp
host01._domainkey IN TXT ("v=DKIM1\; k=rsa\;"
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw9EM6TzCofz004vL+aBV"
"rUcCE2CjIcBw+k50vOir4JkE/+UxAStV/MHT59S0ObjMnkkjR0YCKKJqBPWwaqva"
"ztZqIj/7g0IsrqoCgVeCcrBEPZ86BN2f4K+r5cWoWwUXtWyVMxJA8J+nnf/7ntLb"
"e63tzKMZepfDHtbgojG88nyi6rdtdJYOIgVKoNhfLS7K4oxSHGmj0RjCO7CbB/8S"
"swJhQMwGXCL87iBiQko8e/rqMxbhAuuYRp/ZbM5UXUc+Ds84PRx4TPOxYUC99x2g"
"TlGIStWa09I0z1JnutqedBrN0uo52DKkA5jLN2xqabZ8RVdVLVmtM50Fbq5EimAK"
"swIDAQAB\;")
_adsp._domainkey IN TXT "dkim=all;"
_dmarc IN TXT "v=DMARC1;p=quarantine;pct=100;sp=reject;fo=1;rua=mailto:postmaster@shore.co.il;ruf=mailto:postmaster@shore.co.il;adkim=s;aspf=s"
roles/router/files/nsd/shore_co_il.conf 0 → 100644
+ 5
0
View file @ ff593670
zone:
name: "shore.co.il"
zonefile: "shore.co.il"
notify: 163.172.74.36 NOKEY #ns4.shore.co.il
provide-xfr: 0.0.0.0/0 NOKEY
roles/router/files/pf.conf 0 → 100644
+ 54
0
View file @ ff593670
# Policy
set skip on lo
set block-policy return
anchor "ftp-proxy/*"
block quick inet6 all
block in quick from <brute>
block out quick to <brute>
block drop in quick on egress from <martians>
block drop out quick on egress to <martians>
antispoof quick for ingress
match in all scrub (max-mss 1440)
# Tables
table <martians> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 } #non routable address blocks
table <brute> persist #table for brute force attempts, etc.
table <bgp-spamd-bypass> persist # table for spamd whitelisted addresses.
# Queues, priorities
queue egress on pppoe0 bandwidth 50M qlimit 10000
queue critical parent egress bandwidth 10M max 40M min 1M qlimit 2000
queue services parent egress bandwidth 10M max 40M qlimit 2000
queue other parent egress bandwidth 30M max 40M default qlimit 1000
queue bulk parent egress bandwidth 30M qlimit 200
match on egress proto { tcp, udp } to port { ssh, isakmp, l2tp, ipsec-nat-t, domain } set queue critical set prio 6
match on egress proto { ah, esp, gre, icmp } set queue critical set prio 6
match on egress proto tcp to port { smtp, www, https, submission, imaps } set queue services set prio 4
match on egress proto { tcp, udp } from kodi.shore.co.il port bittorrent set queue bulk set prio 1
match on egress proto { tcp, udp } to kodi.shore.co.il port bittorrent set queue bulk set prio 1
# Defaults
pass in quick proto tcp to (all:0) port ssh keep state (source-track rule, max 100, max-src-nodes 10, max-src-conn-rate 15/60, overload <brute> flush global)
match out on egress inet from (ingress:network) nat-to (egress)
block in all
pass out all
pass quick inet proto icmp icmp-type { echoreq, unreach }
# Allowed local services
pass in quick on ingress proto { tcp, udp } to (ingress:0) port { bootps, bootpc } set prio ( 4, 6 )
pass in quick proto { tcp, udp } to port domain set queue services set prio ( 4, 6 )
#pass in quick proto tcp to (egress:0) port { www, https } set prio ( 4, 6 )
# Port redirection
pass in quick proto tcp to (egress:0) port { smtp, submission, imaps, www, https } rdr-to host01.shore.co.il set queue critical set prio ( 4, 6 )
pass out quick proto tcp to host01.shore.co.il port { submission, smtp, imaps, www, https } received-on ingress nat-to ingress set prio ( 4, 6 )
#pass in quick proto tcp to (egress:0) port { smtp, submission, imaps } rdr-to host01.shore.co.il set queue critical set prio ( 4, 6 )
#pass out quick proto tcp to host01.shore.co.il port { submission, smtp, imaps } received-on ingress nat-to ingress set prio ( 4, 6 )
pass in quick proto { tcp, udp } to (egress:0) port bittorrent rdr-to kodi.shore.co.il set queue bulk set prio 1
# Allowd NAT and proxying
#pass in quick on ingress inet proto tcp to egress:network port www divert-to localhost port wwwproxy
pass in quick on ingress inet proto tcp to port ftp divert-to localhost port ftpproxy
pass in quick on ingress inet to !(ingress:0)
roles/router/files/unbound/shore.co.il.conf 0 → 100644
+ 9
0
View file @ ff593670
server:
interface: 192.168.3.1 #ingress
#local-zone: "shore.co.il." static
access-control: 192.168.3.0/8 allow
access-control: 127.0.0.0/8 allow
local-data: "ea6350.shore.co.il. A 192.168.3.11"
local-data: "kodi.shore.co.il. A 192.168.3.12"
local-data: "host01.shore.co.il. A 192.168.3.17"
local-data: "smtp.shore.co.il. A 192.168.3.17"
roles/router/handlers/main.yaml 0 → 100644
+ 77
0
View file @ ff593670
---
- name: Setup network interfaces
command:
cmd: /bin/sh /etc/netstart
- name: Reload PF
command:
cmd: pfctl -f /etc/pf.conf
- name: Rebuild mail aliases
command:
cmd: newaliases
- name: Restart NSD
service:
name: nsd
state: restarted
- name: Restart Unbound
service:
name: unbound
state: restarted
- name: Restart the FTP proxy
service:
name: ftpproxy
state: restarted
- name: Restart the DHCP daemon
service:
name: dhcpd
state: restarted
- name: Restart the SMTP daemon
service:
name: smtpd
state: restarted
- name: Restart the spam deferral daemon
service:
name: spamd
state: restarted
- name: Restart Nginx
service:
name: nginx
state: restarted
- name: Restart the BGP daemon
service:
name: bgpd
state: restarted
- name: Restart the NTP daemon
service:
name: ntpd
state: restarted
- name: Restart the HTTP daemon
service:
name: httpd
state: restarted
- name: Message about restarting the machine
debug:
msg: The {{ ansible_hostname }} needs to be restarted
verbosity: 0
- name: Stop the audio server
service:
name: sndiod
state: stopped
- name: Restart the SSH daemon
service:
name: sshd
state: restarted
roles/router/tasks/main.yaml 0 → 100644
+ 479
0
View file @ ff593670
---
- name: Configure sysctl
ignore_errors: true
with_dict:
net.inet.ip.forwarding: "1"
sysctl:
name: '{{ item.key }}'
value: '{{ item.value }}'
tags:
- sysctl
- network
- pf
- name: Set hosts entries
copy:
dest: /etc/hosts
mode: preserve
src: hosts
diff: true
tags:
- hosts
- dns
- network
- pf
- name: Set services entries
loop:
- line: 'wwwproxy 3129/tcp' # noqa 203
regexp: ' 3129/tcp' # noqa 203
- line: 'ftpproxy 8021/tcp' # noqa 203
regexp: ' 8021/tcp' # noqa 203
- line: 'bittorrent 51413/tcp' # noqa 203
regexp: ' 51413/tcp' # noqa 203
lineinfile:
backup: true
line: '{{ item.line }}'
path: /etc/services
regexp: '{{ item.regexp }}'
state: present
tags:
- network
- pf
- name: Set DNS resolving
copy:
content: |-
search shore.co.il
nameserver 127.0.0.1
lookup file bind
dest: /etc/resolv.conf
mode: 0o0644
diff: true
tags:
- resolv
- dns
- network
- name: Configure the network interfaces
with_dict:
em1: |
inet 192.168.3.1 255.255.255.0
description "Connected to internal LAN."
group ingress
up
em5: |
description "Connected to DSL modem for PPPoE connection to the ISP."
up
pppoe0: |
inet 62.219.131.121 255.255.255.255 NONE \
pppoedev em5 authproto pap \
authname 'ns_nimadar@014' authkey '{{ bezeqint_password }}' up
dest 0.0.0.1
description "The connection to the internet."
!/sbin/route add default -ifp pppoe0 62.219.131.121
copy:
content: '{{ item.value }}'
dest: /etc/hostname.{{ item.key }}
owner: root
group: wheel
mode: 0o0600
diff: true
notify:
- Setup network interfaces
tags:
- interface
- network
- name: Configure the Unbound DNS resolver
file:
path: /var/unbound/etc/unbound.conf.d
mode: 0o0755
state: directory
tags:
- unbound
- dns
- network
- name: Configure Ubnound DNS resolver
lineinfile:
insertafter: EOF
line: >-
include: "/var/unbound/etc/unbound.conf.d/*.conf"
path: /var/unbound/etc/unbound.conf
validate: unbound-checkconf %s
notify:
- Restart Unbound
tags:
- unbound
- dns
- network
- name: Configure the Unbound DNS resolver
loop:
- shore.co.il.conf
copy:
dest: '/var/unbound/etc/unbound.conf.d/{{ item }}'
mode: preserve
src: 'unbound/{{ item }}'
validate: unbound-checkconf %s
diff: true
notify:
- Restart Unbound
tags:
- unbound
- dns
- network
- name: Enable the Unbound DNS resolver
service:
enabled: true
name: unbound
tags:
- unbound
- dns
- network
- name: Configure PF
copy:
dest: /etc/pf.conf
mode: 0o0600
src: pf.conf
validate: pfctl -nf %s
diff: true
notify:
- Reload PF
tags:
- pf
- network
- name: Enable the FTP proxy
service:
enabled: true
name: ftpproxy
notify: Restart the FTP proxy
tags:
- ftpproxy
- network
- name: Apply changes (if needed) to properly setup networking
meta: flush_handlers
tags:
- always
- name: Install packages
loop:
- bash
- curl
- git
- go
openbsd_pkg:
name: '{{ item }}'
state: present
tags:
- packages
- name: Allow Bash as a login shell
lineinfile:
line: /usr/local/bin/bash
path: /etc/shells
tags:
- bash
- name: Set Bash as the login shell
user:
name: '{{ ansible_env["DOAS_USER"] }}'
shell: /usr/local/bin/bash
tags:
- bash
- name: Set boot configuration
copy:
content: |
stty com1 115200
set tty com1
mode: 0o0755
dest: /etc/boot.conf
diff: true
notify:
- Message about restarting the machine
tags:
- boot
- name: Configure the NSD DNS server
file:
path: /var/nsd/etc/nsd.conf.d
mode: 0o0755
state: directory
tags:
- nsd
- dns
- network
- name: Configure the NSD DNS server
loop:
- line: >-
include: "/var/nsd/etc/nsd.conf.d/*.conf"
insertafter: EOF
- line: >-
ip-address: 62.219.131.121
insertafter: 'server:'
lineinfile:
insertafter: '{{ item.insertafter }}'
line: '{{ item.line }}'
path: /var/nsd/etc/nsd.conf
validate: nsd-checkconf %s
notify:
- Restart NSD
tags:
- nsd
- dns
- network
- name: Configure the NSD DNS server
loop:
- shore_co_il.conf
copy:
dest: '/var/nsd/etc/nsd.conf.d/{{ item }}'
mode: preserve
src: 'nsd/{{ item }}'
validate: nsd-checkconf %s
diff: true
notify:
- Restart NSD
tags:
- nsd
- dns
- network
- name: Configure the NSD DNS server
loop:
- shore.co.il
copy:
dest: '/var/nsd/zones/{{ item }}'
mode: preserve
src: 'nsd/{{ item }}'
# validate: nsd-checkzone %s
diff: true
notify:
- Restart NSD
tags:
- nsd
- dns
- network
- name: Enable the NSD DNS server
service:
enabled: true
name: nsd
tags:
- nsd
- dns
- network
- name: Configure the DHCP daemon
copy:
dest: /etc/dhcpd.conf
mode: preserve
src: dhcpd.conf
validate: dhcpd -nc %s
diff: true
notify:
- Restart the DHCP daemon
tags:
- dhcp
- network
- name: Enable the DHCP daemon
service:
enabled: true
name: dhcpd
notify:
- Restart the DHCP daemon
tags:
- dhcp
- network
- name: Configure mail relaying
lineinfile:
line: action "outbound" relay host host01.shore.co.il
path: /etc/mail/smtpd.conf
regexp: action "outbound" relay
state: present
validate: smtpd -nf %s
notify:
- Restart the SMTP daemon
tags:
- mail
- name: Configure the spam deferral daemon
copy:
dest: /etc/mail/spamd.conf
mode: preserve
src: mail/spamd.conf
diff: true
notify:
- Restart the spam deferral daemon
tags:
- spamd
- mail
- network
- name: Enable the spam deferral daemon
lineinfile:
line: >-
spamd_flags="-h smtp.shore.co.il -G25:12:864"
path: /etc/rc.conf.local
notify:
- Restart the spam deferral daemon
tags:
- spamd
- mail
- network
- name: Configure mail aliases
loop:
- root
- nimrod
lineinfile:
line: '{{ item }}: {{ item }}@shore.co.il'
path: /etc/mail/aliases
state: present
notify:
- Rebuild mail aliases
tags:
- aliases
- mail
- network
- name: Configure the BGP daemon
copy:
dest: /etc/bgpd.conf
mode: 0o0600
src: bgpd.conf
validate: bgpd -nf %s
diff: true
notify:
- Restart the BGP daemon
tags:
- bgp
- mail
- network
- name: Enable the BDP daemon
service:
enabled: true
name: bgpd
notify:
- Restart the BGP daemon
tags:
- bgp
- mail
- network
- name: Configure the NTP daemon
copy:
content: |
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
server 3.pool.ntp.org
dest: /etc/ntpd.conf
mode: 0o0644
validate: ntpd -nf %s
diff: true
notify:
- Restart the NTP daemon
tags:
- ntp
- name: Enable the NTP daemon
service:
enabled: true
name: ntpd
notify:
- Restart the NTP daemon
tags:
- ntp
- name: Set Cron jobs
loop:
- job: /sbin/pfctl -t brute -T expire 86400 2>&1 | logger
name: PF brute table purge
special_time: daily
- job: >-
{
/usr/sbin/unbound-anchor -a /var/unbound/etc/root.key
||
/etc/rc.d/unbound restart ;
} | logger
name: Update DNSSEC root anchor
special_time: daily
- job: |-
{ sleep $((RANDOM \% 1800)) && /usr/libexec/spamd-setup; } | logger
name: idk
special_time: daily
state: absent
cron:
job: '{{ item.job }}'
name: '{{ item.name }}'
special_time: '{{ item.special_time }}'
state: '{{ item.state|default("present") }}'
user: root
tags:
- cron
- unbound
- pf
- network
- dns
- name: Disable the audio server
service:
enabled: false
name: sndiod
notify:
- Stop the audio server
tags:
- sndiod
- name: Update the host
command:
cmd: syspatch
register: syspatch
changed_when: "'Installing' in syspatch.stdout"
notify:
- Message about restarting the machine
tags:
- syspatch
- name: Configure the SSH daemon
with_dict:
PermitRootLogin: 'no'
PasswordAuthentication: 'no'
KexAlgorithms: '-diffie-hellman-group14-sha1'
# yamllint disable-line rule:line-length
MACs: '-hmac-sha1,umac-64-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com'
lineinfile:
line: '{{ item.key }} {{ item.value }}'
path: /etc/ssh/sshd_config
regexp: '{{ item.key }}'
validate: sshd -Tf %s
notify:
- Restart the SSH daemon
tags:
- ssh
# yamllint disable-line rule:line-length
- name: Configure the daily Cron job (skip email if there's nothing to report, report on pending system patches).
copy:
content: |
VERBOSESTATUS=0
syspatch -c
pkg_add -uInx | grep -v '^quirks'
dest: /etc/daily.local
group: wheel
mode: 0o044
owner: root
tags:
- cron
- mail
roles/router/vars/main.yaml 0 → 100644
+ 8
0
View file @ ff593670
---
bezeqint_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31356531363238306161666461643838343036313235306133326134646335386261626438666538
6339623132316262363930303631333532653438656134370a656530313161323364326631633635
64636433323433646630383638303763636661636535306539663062386437653364386633653065
3936646361346465320a323862633262656263366562306332363632643839396233303963343030
6633
router.yaml 0 → 100644
+ 7
0
View file @ ff593670
---
- hosts:
- ns1
roles:
- router
become: true
become_user: root
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment